[PATCH 0/5] net: lwip: root certificates

Jerome Forissier jerome.forissier at linaro.org
Thu Mar 13 14:23:32 CET 2025 


On 3/13/25 13:51, Simon Glass wrote:
> Hi Jerome,
> 
> On Fri, 7 Mar 2025 at 10:49, Jerome Forissier
> <jerome.forissier at linaro.org> wrote:
>>
>> Hi Simon,
>>
>> On 3/4/25 16:46, Simon Glass wrote:
>>> Hi Jerome,
>>>
>>> On Thu, 27 Feb 2025 at 09:43, Jerome Forissier
>>> <jerome.forissier at linaro.org> wrote:
>>>>
>>>>
>>>>
>>>> On 2/27/25 17:27, Simon Glass wrote:
>>>>> Hi Jerome,
>>>>>
>>>>> On Thu, 27 Feb 2025 at 09:09, Jerome Forissier
>>>>> <jerome.forissier at linaro.org> wrote:
>>>>>>
>>>>>> This series adds support for HTTP server authentication using root (CA)
>>>>>> certificates.
>>>>>>
>>>>>> As a first step, the wget command is extended to support a sub-command:
>>>>>> cacert <addr> <size>. The memory region shall contain the CA
>>>>>> certificates. With this, it is possible to load the certificates from
>>>>>> storage or get them from the network for example, which is convenient
>>>>>> for testing at least. The Kconfig symbol for this feature is
>>>>>> WGET_CACERT=y.
>>>>>>
>>>>>> Then new Kconfig symbols are added to support providing the certificates
>>>>>> at build time, as a DER or PEM encoded X509 collection:
>>>>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>.
>>>>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert
>>>>>> command as well as for the builtin way).
>>>>>>
>>>>>> Here is a complete example (showing only the relevant output from the
>>>>>> various commands):
>>>>>>
>>>>>>  make qemu_arm64_lwip_defconfig
>>>>>>  wget https://curl.se/ca/cacert.pem
>>>>>>  echo CONFIG_WGET_BUILTIN_CACERT=y >>.config
>>>>>>  echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config
>>>>>>  make olddefconfig
>>>>>>  make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-"
>>>>>>  qemu-system-aarch64 -M virt -nographic -cpu max \
>>>>>>         -object rng-random,id=rng0,filename=/dev/urandom \
>>>>>>         -device virtio-rng-pci,rng=rng0 -bios u-boot.bin
>>>>>>  => dhcp
>>>>>>  # HTTPS transfer using the builtin CA certificates
>>>>>>  => wget https://www.google.com/
>>>>>>  18724 bytes transferred in 15 ms (1.2 MiB/s)
>>>>>>  # Disable certificate validation
>>>>>>  => wget cacert 0 0
>>>>>>  # Unsafe HTTPS transfer
>>>>>>  => wget https://www.google.com/
>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
>>>>>>  16570 bytes transferred in 15 ms (1.1 MiB/s)
>>>>>>  # Dowload and apply CA certificates from the net
>>>>>>  => wget https://curl.se/ca/cacert.pem
>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
>>>>>>  ##
>>>>>>  233263 bytes transferred in 61 ms (3.6 MiB/s)
>>>>>>  => wget cacert $fileaddr $filesize
>>>>>>  # Now HTTPS is authenticated against the new CA
>>>>>>  => wget https://www.google.com/
>>>>>>  18743 bytes transferred in 14 ms (1.3 MiB/s)
>>>>>>  # Drop the certificates again...
>>>>>>  => wget cacert 0 0
>>>>>>  # Check that transfer is not secure
>>>>>>  => wget https://www.google.com/
>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
>>>>>>  # Restore the builtin CA
>>>>>>  => wget cacert builtin
>>>>>>  # No more WARNING
>>>>>>  => wget https://www.google.com/
>>>>>>  18738 bytes transferred in 15 ms (1.2 MiB/s)
>>>>>>
>>>>>> Jerome Forissier (5):
>>>>>>   net: lwip: extend wget to support CA (root) certificates
>>>>>>   lwip: tls: enforce checking of server certificates based on CA
>>>>>>     availability
>>>>>>   lwip: tls: warn when no CA exists amd log certificate validation
>>>>>>     errors
>>>>>>   net: lwip: add support for built-in root certificates
>>>>>>   configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and
>>>>>>     MBEDTLS_LIB_X509_PEM
>>>>>>
>>>>>>  cmd/Kconfig                                   | 29 ++++++
>>>>>>  cmd/net-lwip.c                                | 19 +++-
>>>>>>  configs/qemu_arm64_lwip_defconfig             |  2 +
>>>>>>  .../src/apps/altcp_tls/altcp_tls_mbedtls.c    |  9 +-
>>>>>>  .../lwip/apps/altcp_tls_mbedtls_opts.h        |  6 --
>>>>>>  lib/mbedtls/Makefile                          |  3 +
>>>>>>  lib/mbedtls/mbedtls_def_config.h              |  5 ++
>>>>>>  net/lwip/Makefile                             |  6 ++
>>>>>>  net/lwip/wget.c                               | 90 ++++++++++++++++++-
>>>>>>  9 files changed, 158 insertions(+), 11 deletions(-)
>>>>>
>>>>> Did you manage to add some sandbox tests for lwip?
>>>>
>>>> Unfortunately not. I am testing mostly with QEMU (qemu_arm64_lwip_defconfig)
>>>> and sometimes with KV260 and i.MX93.
>>>
>>> My understanding was that someone was working on it [1] and I had
>>> assumed it was you?
>>
>> Yes, it is on my TODO list. Higher priority things have kept coming in, but
>> hopefully I can resume this work soon.
> 
> Until the tests are added, please stop sending new series for lwip. It
> is just going to make it harder to add the tests later.

I don't see how exactly it would make things harder, but...

> It should not
> take long to add a basic test, e.g. for ping.

...I'm on it.

> Regards,
> Simon

Thanks,
-- 
Jerome

More information about the U-Boot mailing list