Hi Jerome, Heinrich On Wed, 5 Mar 2025 at 17:13, Jerome Forissier <jerome.foriss...@linaro.org> wrote: > > Hi Heinrich, > > On 3/5/25 16:07, Heinrich Schuchardt wrote: > > On 05.03.25 15:26, Jerome Forissier wrote: > >> Add the "cacert" (Certification Authority certificates) subcommand to > >> wget to pass root certificates to the code handling the HTTPS protocol. > >> The subcommand is enabled by the WGET_CACERT Kconfig symbol. > >> > >> Usage example: > >> > >> => dhcp > >> # Download some root certificates (note: not authenticated!) > >> => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt > >> # Provide root certificates > >> => wget cacert $fileaddr $filesize > >> # Enforce verification (it is optional by default) > >> => wget cacert required > >> # Forget the root certificates > >> => wget cacert 0 0 > >> # Disable verification > >> => wget cacert none > >> > >> Signed-off-by: Jerome Forissier <jerome.foriss...@linaro.org> > >> --- > >> cmd/Kconfig | 8 ++++ > >> cmd/net-lwip.c | 17 ++++++-- > >> net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++-- > >> 3 files changed, 121 insertions(+), 6 deletions(-) > >> > >> diff --git a/cmd/Kconfig b/cmd/Kconfig > >> index 8dd42571abc..d469217c0ea 100644 > >> --- a/cmd/Kconfig > >> +++ b/cmd/Kconfig > >> @@ -2177,6 +2177,14 @@ config WGET_HTTPS > >> help > >> Enable TLS over http for wget. > >> > >> +config WGET_CACERT > >> + bool "wget cacert" > >> + depends on CMD_WGET > >> + depends on WGET_HTTPS > >> + help > >> + Adds the "cacert" sub-command to wget to provide root certificates > >> + to the HTTPS engine. Must be in DER format. > >> + > > > > Shouldn't we build CA certs into U-Boot? > > Downloading certs from unsafe media is not a good replacement. > > That's the purpose of patch 4/6 [1]. Although downloading may still be a > valid option when used with hash verification as I mentioned in a reply to > Ilias in v1 [2]. >
FWIW I think this still makes sense for peopke that don't want or can not add the cert in the u-boot binary, but can add a signed script to download it on the fly Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
