[PATCH 0/5] net: lwip: root certificates

Simon Glass sjg at chromium.org
Sat Mar 15 13:47:03 CET 2025 

Hi Jerome,

On Fri, 14 Mar 2025 at 22:01, Jerome Forissier
<jerome.forissier at linaro.org> wrote:
>
> Hi Simon,
>
> On 3/13/25 14:23, Jerome Forissier wrote:
> >
> >
> > On 3/13/25 13:51, Simon Glass wrote:
> >> Hi Jerome,
> >>
> >> On Fri, 7 Mar 2025 at 10:49, Jerome Forissier
> >> <jerome.forissier at linaro.org> wrote:
> >>>
> >>> Hi Simon,
> >>>
> >>> On 3/4/25 16:46, Simon Glass wrote:
> >>>> Hi Jerome,
> >>>>
> >>>> On Thu, 27 Feb 2025 at 09:43, Jerome Forissier
> >>>> <jerome.forissier at linaro.org> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 2/27/25 17:27, Simon Glass wrote:
> >>>>>> Hi Jerome,
> >>>>>>
> >>>>>> On Thu, 27 Feb 2025 at 09:09, Jerome Forissier
> >>>>>> <jerome.forissier at linaro.org> wrote:
> >>>>>>>
> >>>>>>> This series adds support for HTTP server authentication using root (CA)
> >>>>>>> certificates.
> >>>>>>>
> >>>>>>> As a first step, the wget command is extended to support a sub-command:
> >>>>>>> cacert <addr> <size>. The memory region shall contain the CA
> >>>>>>> certificates. With this, it is possible to load the certificates from
> >>>>>>> storage or get them from the network for example, which is convenient
> >>>>>>> for testing at least. The Kconfig symbol for this feature is
> >>>>>>> WGET_CACERT=y.
> >>>>>>>
> >>>>>>> Then new Kconfig symbols are added to support providing the certificates
> >>>>>>> at build time, as a DER or PEM encoded X509 collection:
> >>>>>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>.
> >>>>>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert
> >>>>>>> command as well as for the builtin way).
> >>>>>>>
> >>>>>>> Here is a complete example (showing only the relevant output from the
> >>>>>>> various commands):
> >>>>>>>
> >>>>>>>  make qemu_arm64_lwip_defconfig
> >>>>>>>  wget https://curl.se/ca/cacert.pem
> >>>>>>>  echo CONFIG_WGET_BUILTIN_CACERT=y >>.config
> >>>>>>>  echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config
> >>>>>>>  make olddefconfig
> >>>>>>>  make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-"
> >>>>>>>  qemu-system-aarch64 -M virt -nographic -cpu max \
> >>>>>>>         -object rng-random,id=rng0,filename=/dev/urandom \
> >>>>>>>         -device virtio-rng-pci,rng=rng0 -bios u-boot.bin
> >>>>>>>  => dhcp
> >>>>>>>  # HTTPS transfer using the builtin CA certificates
> >>>>>>>  => wget https://www.google.com/
> >>>>>>>  18724 bytes transferred in 15 ms (1.2 MiB/s)
> >>>>>>>  # Disable certificate validation
> >>>>>>>  => wget cacert 0 0
> >>>>>>>  # Unsafe HTTPS transfer
> >>>>>>>  => wget https://www.google.com/
> >>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
> >>>>>>>  16570 bytes transferred in 15 ms (1.1 MiB/s)
> >>>>>>>  # Dowload and apply CA certificates from the net
> >>>>>>>  => wget https://curl.se/ca/cacert.pem
> >>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
> >>>>>>>  ##
> >>>>>>>  233263 bytes transferred in 61 ms (3.6 MiB/s)
> >>>>>>>  => wget cacert $fileaddr $filesize
> >>>>>>>  # Now HTTPS is authenticated against the new CA
> >>>>>>>  => wget https://www.google.com/
> >>>>>>>  18743 bytes transferred in 14 ms (1.3 MiB/s)
> >>>>>>>  # Drop the certificates again...
> >>>>>>>  => wget cacert 0 0
> >>>>>>>  # Check that transfer is not secure
> >>>>>>>  => wget https://www.google.com/
> >>>>>>>  WARNING: no CA certificates, HTTPS connections not authenticated
> >>>>>>>  # Restore the builtin CA
> >>>>>>>  => wget cacert builtin
> >>>>>>>  # No more WARNING
> >>>>>>>  => wget https://www.google.com/
> >>>>>>>  18738 bytes transferred in 15 ms (1.2 MiB/s)
> >>>>>>>
> >>>>>>> Jerome Forissier (5):
> >>>>>>>   net: lwip: extend wget to support CA (root) certificates
> >>>>>>>   lwip: tls: enforce checking of server certificates based on CA
> >>>>>>>     availability
> >>>>>>>   lwip: tls: warn when no CA exists amd log certificate validation
> >>>>>>>     errors
> >>>>>>>   net: lwip: add support for built-in root certificates
> >>>>>>>   configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and
> >>>>>>>     MBEDTLS_LIB_X509_PEM
> >>>>>>>
> >>>>>>>  cmd/Kconfig                                   | 29 ++++++
> >>>>>>>  cmd/net-lwip.c                                | 19 +++-
> >>>>>>>  configs/qemu_arm64_lwip_defconfig             |  2 +
> >>>>>>>  .../src/apps/altcp_tls/altcp_tls_mbedtls.c    |  9 +-
> >>>>>>>  .../lwip/apps/altcp_tls_mbedtls_opts.h        |  6 --
> >>>>>>>  lib/mbedtls/Makefile                          |  3 +
> >>>>>>>  lib/mbedtls/mbedtls_def_config.h              |  5 ++
> >>>>>>>  net/lwip/Makefile                             |  6 ++
> >>>>>>>  net/lwip/wget.c                               | 90 ++++++++++++++++++-
> >>>>>>>  9 files changed, 158 insertions(+), 11 deletions(-)
> >>>>>>
> >>>>>> Did you manage to add some sandbox tests for lwip?
> >>>>>
> >>>>> Unfortunately not. I am testing mostly with QEMU (qemu_arm64_lwip_defconfig)
> >>>>> and sometimes with KV260 and i.MX93.
> >>>>
> >>>> My understanding was that someone was working on it [1] and I had
> >>>> assumed it was you?
> >>>
> >>> Yes, it is on my TODO list. Higher priority things have kept coming in, but
> >>> hopefully I can resume this work soon.
> >>
> >> Until the tests are added, please stop sending new series for lwip. It
> >> is just going to make it harder to add the tests later.
> >
> > I don't see how exactly it would make things harder, but...
> >
> >> It should not
> >> take long to add a basic test, e.g. for ping.
> >
> > ...I'm on it.
>
> Please see https://lists.denx.de/pipermail/u-boot/2025-March/583551.html.

Thank you for doing that!

Regards,
Simon

More information about the U-Boot mailing list