On Sun, 9 Mar 2025 at 12:58, Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > Hi Jerome, Heinrich > > On Wed, 5 Mar 2025 at 17:13, Jerome Forissier > <jerome.foriss...@linaro.org> wrote: > > > > Hi Heinrich, > > > > On 3/5/25 16:07, Heinrich Schuchardt wrote: > > > On 05.03.25 15:26, Jerome Forissier wrote: > > >> Add the "cacert" (Certification Authority certificates) subcommand to > > >> wget to pass root certificates to the code handling the HTTPS protocol. > > >> The subcommand is enabled by the WGET_CACERT Kconfig symbol. > > >> > > >> Usage example: > > >> > > >> => dhcp > > >> # Download some root certificates (note: not authenticated!) > > >> => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt > > >> # Provide root certificates > > >> => wget cacert $fileaddr $filesize > > >> # Enforce verification (it is optional by default) > > >> => wget cacert required > > >> # Forget the root certificates > > >> => wget cacert 0 0 > > >> # Disable verification > > >> => wget cacert none > > >> > > >> Signed-off-by: Jerome Forissier <jerome.foriss...@linaro.org> > > >> --- > > >> cmd/Kconfig | 8 ++++ > > >> cmd/net-lwip.c | 17 ++++++-- > > >> net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++-- > > >> 3 files changed, 121 insertions(+), 6 deletions(-) > > >> > > >> diff --git a/cmd/Kconfig b/cmd/Kconfig > > >> index 8dd42571abc..d469217c0ea 100644 > > >> --- a/cmd/Kconfig > > >> +++ b/cmd/Kconfig > > >> @@ -2177,6 +2177,14 @@ config WGET_HTTPS > > >> help > > >> Enable TLS over http for wget. > > >> > > >> +config WGET_CACERT > > >> + bool "wget cacert" > > >> + depends on CMD_WGET > > >> + depends on WGET_HTTPS > > >> + help > > >> + Adds the "cacert" sub-command to wget to provide root certificates > > >> + to the HTTPS engine. Must be in DER format. > > >> + > > > > > > Shouldn't we build CA certs into U-Boot? > > > Downloading certs from unsafe media is not a good replacement. > > > > That's the purpose of patch 4/6 [1]. Although downloading may still be a > > valid option when used with hash verification as I mentioned in a reply to > > Ilias in v1 [2]. > > > > FWIW I think this still makes sense for peopke that don't want or can > not add the cert in the u-boot binary, but can add a signed script to > download it on the fly > > Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
This still stands, but there are a few warning/errors on the entire patchset. Can you address them and send a v3? Thanks /Ilias
