[PATCH v2 1/6] net: lwip: extend wget to support CA (root) certificates
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sun Mar 9 12:00:22 CET 2025
On Sun, 9 Mar 2025 at 12:58, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi Jerome, Heinrich
>
> On Wed, 5 Mar 2025 at 17:13, Jerome Forissier
> <jerome.forissier at linaro.org> wrote:
> >
> > Hi Heinrich,
> >
> > On 3/5/25 16:07, Heinrich Schuchardt wrote:
> > > On 05.03.25 15:26, Jerome Forissier wrote:
> > >> Add the "cacert" (Certification Authority certificates) subcommand to
> > >> wget to pass root certificates to the code handling the HTTPS protocol.
> > >> The subcommand is enabled by the WGET_CACERT Kconfig symbol.
> > >>
> > >> Usage example:
> > >>
> > >> => dhcp
> > >> # Download some root certificates (note: not authenticated!)
> > >> => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt
> > >> # Provide root certificates
> > >> => wget cacert $fileaddr $filesize
> > >> # Enforce verification (it is optional by default)
> > >> => wget cacert required
> > >> # Forget the root certificates
> > >> => wget cacert 0 0
> > >> # Disable verification
> > >> => wget cacert none
> > >>
> > >> Signed-off-by: Jerome Forissier <jerome.forissier at linaro.org>
> > >> ---
> > >> cmd/Kconfig | 8 ++++
> > >> cmd/net-lwip.c | 17 ++++++--
> > >> net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++--
> > >> 3 files changed, 121 insertions(+), 6 deletions(-)
> > >>
> > >> diff --git a/cmd/Kconfig b/cmd/Kconfig
> > >> index 8dd42571abc..d469217c0ea 100644
> > >> --- a/cmd/Kconfig
> > >> +++ b/cmd/Kconfig
> > >> @@ -2177,6 +2177,14 @@ config WGET_HTTPS
> > >> help
> > >> Enable TLS over http for wget.
> > >>
> > >> +config WGET_CACERT
> > >> + bool "wget cacert"
> > >> + depends on CMD_WGET
> > >> + depends on WGET_HTTPS
> > >> + help
> > >> + Adds the "cacert" sub-command to wget to provide root certificates
> > >> + to the HTTPS engine. Must be in DER format.
> > >> +
> > >
> > > Shouldn't we build CA certs into U-Boot?
> > > Downloading certs from unsafe media is not a good replacement.
> >
> > That's the purpose of patch 4/6 [1]. Although downloading may still be a
> > valid option when used with hash verification as I mentioned in a reply to
> > Ilias in v1 [2].
> >
>
> FWIW I think this still makes sense for peopke that don't want or can
> not add the cert in the u-boot binary, but can add a signed script to
> download it on the fly
>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
This still stands, but there are a few warning/errors on the entire
patchset. Can you address them and send a v3?
Thanks
/Ilias
More information about the U-Boot
mailing list