Hi Simon, On 3/4/25 16:46, Simon Glass wrote: > Hi Jerome, > > On Thu, 27 Feb 2025 at 09:43, Jerome Forissier > <jerome.foriss...@linaro.org> wrote: >> >> >> >> On 2/27/25 17:27, Simon Glass wrote: >>> Hi Jerome, >>> >>> On Thu, 27 Feb 2025 at 09:09, Jerome Forissier >>> <jerome.foriss...@linaro.org> wrote: >>>> >>>> This series adds support for HTTP server authentication using root (CA) >>>> certificates. >>>> >>>> As a first step, the wget command is extended to support a sub-command: >>>> cacert <addr> <size>. The memory region shall contain the CA >>>> certificates. With this, it is possible to load the certificates from >>>> storage or get them from the network for example, which is convenient >>>> for testing at least. The Kconfig symbol for this feature is >>>> WGET_CACERT=y. >>>> >>>> Then new Kconfig symbols are added to support providing the certificates >>>> at build time, as a DER or PEM encoded X509 collection: >>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. >>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert >>>> command as well as for the builtin way). >>>> >>>> Here is a complete example (showing only the relevant output from the >>>> various commands): >>>> >>>> make qemu_arm64_lwip_defconfig >>>> wget https://curl.se/ca/cacert.pem >>>> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config >>>> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config >>>> make olddefconfig >>>> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" >>>> qemu-system-aarch64 -M virt -nographic -cpu max \ >>>> -object rng-random,id=rng0,filename=/dev/urandom \ >>>> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin >>>> => dhcp >>>> # HTTPS transfer using the builtin CA certificates >>>> => wget https://www.google.com/ >>>> 18724 bytes transferred in 15 ms (1.2 MiB/s) >>>> # Disable certificate validation >>>> => wget cacert 0 0 >>>> # Unsafe HTTPS transfer >>>> => wget https://www.google.com/ >>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>> 16570 bytes transferred in 15 ms (1.1 MiB/s) >>>> # Dowload and apply CA certificates from the net >>>> => wget https://curl.se/ca/cacert.pem >>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>> ## >>>> 233263 bytes transferred in 61 ms (3.6 MiB/s) >>>> => wget cacert $fileaddr $filesize >>>> # Now HTTPS is authenticated against the new CA >>>> => wget https://www.google.com/ >>>> 18743 bytes transferred in 14 ms (1.3 MiB/s) >>>> # Drop the certificates again... >>>> => wget cacert 0 0 >>>> # Check that transfer is not secure >>>> => wget https://www.google.com/ >>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>> # Restore the builtin CA >>>> => wget cacert builtin >>>> # No more WARNING >>>> => wget https://www.google.com/ >>>> 18738 bytes transferred in 15 ms (1.2 MiB/s) >>>> >>>> Jerome Forissier (5): >>>> net: lwip: extend wget to support CA (root) certificates >>>> lwip: tls: enforce checking of server certificates based on CA >>>> availability >>>> lwip: tls: warn when no CA exists amd log certificate validation >>>> errors >>>> net: lwip: add support for built-in root certificates >>>> configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and >>>> MBEDTLS_LIB_X509_PEM >>>> >>>> cmd/Kconfig | 29 ++++++ >>>> cmd/net-lwip.c | 19 +++- >>>> configs/qemu_arm64_lwip_defconfig | 2 + >>>> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- >>>> .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- >>>> lib/mbedtls/Makefile | 3 + >>>> lib/mbedtls/mbedtls_def_config.h | 5 ++ >>>> net/lwip/Makefile | 6 ++ >>>> net/lwip/wget.c | 90 ++++++++++++++++++- >>>> 9 files changed, 158 insertions(+), 11 deletions(-) >>> >>> Did you manage to add some sandbox tests for lwip? >> >> Unfortunately not. I am testing mostly with QEMU (qemu_arm64_lwip_defconfig) >> and sometimes with KV260 and i.MX93. > > My understanding was that someone was working on it [1] and I had > assumed it was you?
Yes, it is on my TODO list. Higher priority things have kept coming in, but hopefully I can resume this work soon. Regards, -- Jerome > > Regards, > SImon > > [1] > https://lore.kernel.org/u-boot/CAC_iWjKMo7=RE3=1=y3mpgc95ito170rujyk6omh-4nuaj8...@mail.gmail.com/
