Hi Jerome, On Thu, 27 Feb 2025 at 20:31, Jerome Forissier <jerome.foriss...@linaro.org> wrote: > > > > On 2/27/25 19:06, Tom Rini wrote: > > On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote: > > > >> This series adds support for HTTP server authentication using root (CA) > >> certificates. > >> > >> As a first step, the wget command is extended to support a sub-command: > >> cacert <addr> <size>. The memory region shall contain the CA > >> certificates. With this, it is possible to load the certificates from > >> storage or get them from the network for example, which is convenient > >> for testing at least. The Kconfig symbol for this feature is > >> WGET_CACERT=y. > >> > >> Then new Kconfig symbols are added to support providing the certificates > >> at build time, as a DER or PEM encoded X509 collection: > >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > >> command as well as for the builtin way).
[...] I don't know if we can do it in this patchset, but in the future, we could store the sha256 and the CA certificate path in a U-Boot elf section. Since we will soon have .rodata section with proper memory permissions, we could automatically download the cert in mem and make sure it's valid. Cheers /Ilias
