On Do, 2015-03-12 at 18:47 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote: > as state in my previous e-mail I will a keystore support > > but this dt format to handle no please > > we need to use the standard format as in the kernel or openssl > > DER and x509 > > specially x509 as if we want to be able to add key at runtime we need > to sign them we the trusted RO keys > > For the implementation of RSA I use the polarssl one and plan to add > the kernel one > > and this implementation is limited to 4096 the polarssl one is not Having an ASN1 parser for DER/x509 is a huge amount of complexity I would not want in a bootloader. Just take a look at the problems the SSL-CAs and browsers had with different interpretations of the same cert. The FIT format (and corresponding public key in the bootloader's DT) has been adopted by depthcharge and u-boot, because it handles the requirements and nothing more. What is your use-case for which you need to add keys at runtime? Regards, Jan -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
