[U-Boot] RSA in U-Boot
Paolo Bonzini
pbonzini at redhat.com
Sat Apr 27 05:31:37 UTC 2019
> >> I've done porting linux's pkcs7/x509 parsers and they work well
> >> with my UEFI secure boot patch, but I'm still looking for other options
> >> as well.
> >>
> >> * openssl
> >> Most of existing components linked to UEFI secure boot, including
> >> EDK2, shim and grub, reply on this library. Why not for U-Boot?
> >> The size of U-Boot UEFI code in U-Boot is already quite big, and
> >> so the size of openssl won't be a big issue.
> >> * mbedTLS
> >> which is maintained by ARM and used with Zephyr, I guess it should
> >> have small footprint. But it currently lacks pkcs7 parser.
> >>
> >> Any thoughts?
> >
> >
> > Paolo, Laszlo, Ard, if you could write a new secure boot implementation
> > today, which of the options above would you pick and why so? :)
>
> Difficult question. Ideally you'd want a library where three aspects met:
>
> - widely used (so that there is a diverse community that's interested in
> vulnerabilities, and fixing them too)
>
> - easy to cross-compile for your free-standing environment (optimally
> the upstream project would support being cross-compiled and packaged
> stand-alone, for that free-standing environment)
>
> - cares about API stability
>
> OpenSSL is very widely used...
> ...and that's where we can stop in the list :)
It's also license-incompatible with U-Boot's GPLv2 I think. I guess
grub can use it because GPLv3 and Apache v2 can be combined just fine.
Reusing Linux's code seems like the best match.
Paolo
More information about the U-Boot
mailing list