Hi Ilias, On 2/28/25 08:40, Ilias Apalodimas wrote: > Hi Jerome, > > On Thu, 27 Feb 2025 at 20:31, Jerome Forissier > <jerome.foriss...@linaro.org> wrote: >> >> >> >> On 2/27/25 19:06, Tom Rini wrote: >>> On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote: >>> >>>> This series adds support for HTTP server authentication using root (CA) >>>> certificates. >>>> >>>> As a first step, the wget command is extended to support a sub-command: >>>> cacert <addr> <size>. The memory region shall contain the CA >>>> certificates. With this, it is possible to load the certificates from >>>> storage or get them from the network for example, which is convenient >>>> for testing at least. The Kconfig symbol for this feature is >>>> WGET_CACERT=y. >>>> >>>> Then new Kconfig symbols are added to support providing the certificates >>>> at build time, as a DER or PEM encoded X509 collection: >>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. >>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert >>>> command as well as for the builtin way). > > [...] > > I don't know if we can do it in this patchset, but in the future, we > could store the sha256 and the CA certificate path in a U-Boot elf > section. > Since we will soon have .rodata section with proper memory > permissions, we could automatically download the cert in mem and make > sure it's valid.
That's a good idea and I think we have (almost) enough to do that already via scripting: => wget https://curl.se/ca/cacert.pem WARNING: no CA certificates, HTTPS connections not authenticated ## 233263 bytes transferred in 96 ms (2.3 MiB/s) Bytes transferred = 233263 (38f2f hex) => hash sha256 $fileaddr $filesize cacert_sha256 sha256 for 40200000 ... 40238f2e ==> 50a6277ec69113f00c5fd45f09e8b97a4b3e32daa35d3a95ab30137a55386cef => if test "$cacert_sha256" = 50a6277ec69113f00c5fd45f09e8b97a4b3e32daa35d3a95ab30137a55386cef; then wget cacert $fileaddr $filesize; fi => wget cacert required The last step is currently missing but trivial to implement. It tells wget that it must not do HTTPS without CA certificates. So if the hash doesn't match the cacert will remain unset and wget will error out on https://. I can add it in v2. I still think it may be a good idea to be able to embed the certificates themselves, because for some reason the CA server might not be always available or we may want to avoid an extra download. Perhaps gzip support would be nice, too? Cheers, -- Jerome
