On Do, 2015-03-12 at 19:19 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote: > please do not send a new version except for fix > > I'm going to re-integrate it with the keystore & co Could you describe your keystore design? > and sha1,rsa2048 is considered weak in term of security > and worse md4/md5 > > for barebox I would only use > at least sha256 with rs2048 or sha512 with rsa4096 Yes, of course. These were only used as an example and it's trivial to switch to other hash algos or RSA key sizes. Also, the FIT format can easily be extended to support ECC/Curve25519. In some cases, where the SoC's ROM code only supports RSA2048 with SHA1, using stronger settings in Barebox doesn't increase security. So there we want to use the same settings as the ROM code. Regards, Jan -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox