[PATCH v2 1/6] net: lwip: extend wget to support CA (root) certificates
Jerome Forissier
jerome.forissier at linaro.org
Mon Mar 10 09:08:56 CET 2025
On 3/9/25 12:00, Ilias Apalodimas wrote:
> On Sun, 9 Mar 2025 at 12:58, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
>>
>> Hi Jerome, Heinrich
>>
>> On Wed, 5 Mar 2025 at 17:13, Jerome Forissier
>> <jerome.forissier at linaro.org> wrote:
>>>
>>> Hi Heinrich,
>>>
>>> On 3/5/25 16:07, Heinrich Schuchardt wrote:
>>>> On 05.03.25 15:26, Jerome Forissier wrote:
>>>>> Add the "cacert" (Certification Authority certificates) subcommand to
>>>>> wget to pass root certificates to the code handling the HTTPS protocol.
>>>>> The subcommand is enabled by the WGET_CACERT Kconfig symbol.
>>>>>
>>>>> Usage example:
>>>>>
>>>>> => dhcp
>>>>> # Download some root certificates (note: not authenticated!)
>>>>> => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt
>>>>> # Provide root certificates
>>>>> => wget cacert $fileaddr $filesize
>>>>> # Enforce verification (it is optional by default)
>>>>> => wget cacert required
>>>>> # Forget the root certificates
>>>>> => wget cacert 0 0
>>>>> # Disable verification
>>>>> => wget cacert none
>>>>>
>>>>> Signed-off-by: Jerome Forissier <jerome.forissier at linaro.org>
>>>>> ---
>>>>> cmd/Kconfig | 8 ++++
>>>>> cmd/net-lwip.c | 17 ++++++--
>>>>> net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++--
>>>>> 3 files changed, 121 insertions(+), 6 deletions(-)
>>>>>
>>>>> diff --git a/cmd/Kconfig b/cmd/Kconfig
>>>>> index 8dd42571abc..d469217c0ea 100644
>>>>> --- a/cmd/Kconfig
>>>>> +++ b/cmd/Kconfig
>>>>> @@ -2177,6 +2177,14 @@ config WGET_HTTPS
>>>>> help
>>>>> Enable TLS over http for wget.
>>>>>
>>>>> +config WGET_CACERT
>>>>> + bool "wget cacert"
>>>>> + depends on CMD_WGET
>>>>> + depends on WGET_HTTPS
>>>>> + help
>>>>> + Adds the "cacert" sub-command to wget to provide root certificates
>>>>> + to the HTTPS engine. Must be in DER format.
>>>>> +
>>>>
>>>> Shouldn't we build CA certs into U-Boot?
>>>> Downloading certs from unsafe media is not a good replacement.
>>>
>>> That's the purpose of patch 4/6 [1]. Although downloading may still be a
>>> valid option when used with hash verification as I mentioned in a reply to
>>> Ilias in v1 [2].
>>>
>>
>> FWIW I think this still makes sense for peopke that don't want or can
>> not add the cert in the u-boot binary, but can add a signed script to
>> download it on the fly
>>
>> Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>
> This still stands, but there are a few warning/errors on the entire
> patchset. Can you address them and send a v3?
Which warnings/errors? Which config? I see none with qemu_arm64_lwip_defconfig.
Thanks,
--
Jerome
>
> Thanks
> /Ilias
More information about the U-Boot
mailing list