| Message ID | cover.1740672437.git.jerome.forissier@linaro.org |
|---|---|
| Headers | show |
| Series | net: lwip: root certificates | expand |
Hi Jerome, On Thu, 27 Feb 2025 at 09:09, Jerome Forissier <jerome.forissier@linaro.org> wrote: > > This series adds support for HTTP server authentication using root (CA) > certificates. > > As a first step, the wget command is extended to support a sub-command: > cacert <addr> <size>. The memory region shall contain the CA > certificates. With this, it is possible to load the certificates from > storage or get them from the network for example, which is convenient > for testing at least. The Kconfig symbol for this feature is > WGET_CACERT=y. > > Then new Kconfig symbols are added to support providing the certificates > at build time, as a DER or PEM encoded X509 collection: > WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > command as well as for the builtin way). > > Here is a complete example (showing only the relevant output from the > various commands): > > make qemu_arm64_lwip_defconfig > wget https://curl.se/ca/cacert.pem > echo CONFIG_WGET_BUILTIN_CACERT=y >>.config > echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config > make olddefconfig > make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" > qemu-system-aarch64 -M virt -nographic -cpu max \ > -object rng-random,id=rng0,filename=/dev/urandom \ > -device virtio-rng-pci,rng=rng0 -bios u-boot.bin > => dhcp > # HTTPS transfer using the builtin CA certificates > => wget https://www.google.com/ > 18724 bytes transferred in 15 ms (1.2 MiB/s) > # Disable certificate validation > => wget cacert 0 0 > # Unsafe HTTPS transfer > => wget https://www.google.com/ > WARNING: no CA certificates, HTTPS connections not authenticated > 16570 bytes transferred in 15 ms (1.1 MiB/s) > # Dowload and apply CA certificates from the net > => wget https://curl.se/ca/cacert.pem > WARNING: no CA certificates, HTTPS connections not authenticated > ## > 233263 bytes transferred in 61 ms (3.6 MiB/s) > => wget cacert $fileaddr $filesize > # Now HTTPS is authenticated against the new CA > => wget https://www.google.com/ > 18743 bytes transferred in 14 ms (1.3 MiB/s) > # Drop the certificates again... > => wget cacert 0 0 > # Check that transfer is not secure > => wget https://www.google.com/ > WARNING: no CA certificates, HTTPS connections not authenticated > # Restore the builtin CA > => wget cacert builtin > # No more WARNING > => wget https://www.google.com/ > 18738 bytes transferred in 15 ms (1.2 MiB/s) > > Jerome Forissier (5): > net: lwip: extend wget to support CA (root) certificates > lwip: tls: enforce checking of server certificates based on CA > availability > lwip: tls: warn when no CA exists amd log certificate validation > errors > net: lwip: add support for built-in root certificates > configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and > MBEDTLS_LIB_X509_PEM > > cmd/Kconfig | 29 ++++++ > cmd/net-lwip.c | 19 +++- > configs/qemu_arm64_lwip_defconfig | 2 + > .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- > .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- > lib/mbedtls/Makefile | 3 + > lib/mbedtls/mbedtls_def_config.h | 5 ++ > net/lwip/Makefile | 6 ++ > net/lwip/wget.c | 90 ++++++++++++++++++- > 9 files changed, 158 insertions(+), 11 deletions(-) Did you manage to add some sandbox tests for lwip? Regards, Simon
On 2/27/25 17:27, Simon Glass wrote: > Hi Jerome, > > On Thu, 27 Feb 2025 at 09:09, Jerome Forissier > <jerome.forissier@linaro.org> wrote: >> >> This series adds support for HTTP server authentication using root (CA) >> certificates. >> >> As a first step, the wget command is extended to support a sub-command: >> cacert <addr> <size>. The memory region shall contain the CA >> certificates. With this, it is possible to load the certificates from >> storage or get them from the network for example, which is convenient >> for testing at least. The Kconfig symbol for this feature is >> WGET_CACERT=y. >> >> Then new Kconfig symbols are added to support providing the certificates >> at build time, as a DER or PEM encoded X509 collection: >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert >> command as well as for the builtin way). >> >> Here is a complete example (showing only the relevant output from the >> various commands): >> >> make qemu_arm64_lwip_defconfig >> wget https://curl.se/ca/cacert.pem >> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config >> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config >> make olddefconfig >> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" >> qemu-system-aarch64 -M virt -nographic -cpu max \ >> -object rng-random,id=rng0,filename=/dev/urandom \ >> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin >> => dhcp >> # HTTPS transfer using the builtin CA certificates >> => wget https://www.google.com/ >> 18724 bytes transferred in 15 ms (1.2 MiB/s) >> # Disable certificate validation >> => wget cacert 0 0 >> # Unsafe HTTPS transfer >> => wget https://www.google.com/ >> WARNING: no CA certificates, HTTPS connections not authenticated >> 16570 bytes transferred in 15 ms (1.1 MiB/s) >> # Dowload and apply CA certificates from the net >> => wget https://curl.se/ca/cacert.pem >> WARNING: no CA certificates, HTTPS connections not authenticated >> ## >> 233263 bytes transferred in 61 ms (3.6 MiB/s) >> => wget cacert $fileaddr $filesize >> # Now HTTPS is authenticated against the new CA >> => wget https://www.google.com/ >> 18743 bytes transferred in 14 ms (1.3 MiB/s) >> # Drop the certificates again... >> => wget cacert 0 0 >> # Check that transfer is not secure >> => wget https://www.google.com/ >> WARNING: no CA certificates, HTTPS connections not authenticated >> # Restore the builtin CA >> => wget cacert builtin >> # No more WARNING >> => wget https://www.google.com/ >> 18738 bytes transferred in 15 ms (1.2 MiB/s) >> >> Jerome Forissier (5): >> net: lwip: extend wget to support CA (root) certificates >> lwip: tls: enforce checking of server certificates based on CA >> availability >> lwip: tls: warn when no CA exists amd log certificate validation >> errors >> net: lwip: add support for built-in root certificates >> configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and >> MBEDTLS_LIB_X509_PEM >> >> cmd/Kconfig | 29 ++++++ >> cmd/net-lwip.c | 19 +++- >> configs/qemu_arm64_lwip_defconfig | 2 + >> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- >> .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- >> lib/mbedtls/Makefile | 3 + >> lib/mbedtls/mbedtls_def_config.h | 5 ++ >> net/lwip/Makefile | 6 ++ >> net/lwip/wget.c | 90 ++++++++++++++++++- >> 9 files changed, 158 insertions(+), 11 deletions(-) > > Did you manage to add some sandbox tests for lwip? Unfortunately not. I am testing mostly with QEMU (qemu_arm64_lwip_defconfig) and sometimes with KV260 and i.MX93. Regards,
On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote: > This series adds support for HTTP server authentication using root (CA) > certificates. > > As a first step, the wget command is extended to support a sub-command: > cacert <addr> <size>. The memory region shall contain the CA > certificates. With this, it is possible to load the certificates from > storage or get them from the network for example, which is convenient > for testing at least. The Kconfig symbol for this feature is > WGET_CACERT=y. > > Then new Kconfig symbols are added to support providing the certificates > at build time, as a DER or PEM encoded X509 collection: > WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > command as well as for the builtin way). > > Here is a complete example (showing only the relevant output from the > various commands): > > make qemu_arm64_lwip_defconfig > wget https://curl.se/ca/cacert.pem > echo CONFIG_WGET_BUILTIN_CACERT=y >>.config > echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config > make olddefconfig > make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" > qemu-system-aarch64 -M virt -nographic -cpu max \ > -object rng-random,id=rng0,filename=/dev/urandom \ > -device virtio-rng-pci,rng=rng0 -bios u-boot.bin > => dhcp > # HTTPS transfer using the builtin CA certificates > => wget https://www.google.com/ > 18724 bytes transferred in 15 ms (1.2 MiB/s) > # Disable certificate validation > => wget cacert 0 0 > # Unsafe HTTPS transfer > => wget https://www.google.com/ > WARNING: no CA certificates, HTTPS connections not authenticated > 16570 bytes transferred in 15 ms (1.1 MiB/s) > # Dowload and apply CA certificates from the net > => wget https://curl.se/ca/cacert.pem > WARNING: no CA certificates, HTTPS connections not authenticated > ## > 233263 bytes transferred in 61 ms (3.6 MiB/s) > => wget cacert $fileaddr $filesize > # Now HTTPS is authenticated against the new CA > => wget https://www.google.com/ > 18743 bytes transferred in 14 ms (1.3 MiB/s) > # Drop the certificates again... > => wget cacert 0 0 > # Check that transfer is not secure > => wget https://www.google.com/ > WARNING: no CA certificates, HTTPS connections not authenticated > # Restore the builtin CA > => wget cacert builtin > # No more WARNING > => wget https://www.google.com/ > 18738 bytes transferred in 15 ms (1.2 MiB/s) As part of v2, please update the documentation as well with some example like the above (perhaps as enable X/Y/Z then at run time ...), thanks!
On 2/27/25 19:06, Tom Rini wrote: > On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote: > >> This series adds support for HTTP server authentication using root (CA) >> certificates. >> >> As a first step, the wget command is extended to support a sub-command: >> cacert <addr> <size>. The memory region shall contain the CA >> certificates. With this, it is possible to load the certificates from >> storage or get them from the network for example, which is convenient >> for testing at least. The Kconfig symbol for this feature is >> WGET_CACERT=y. >> >> Then new Kconfig symbols are added to support providing the certificates >> at build time, as a DER or PEM encoded X509 collection: >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert >> command as well as for the builtin way). >> >> Here is a complete example (showing only the relevant output from the >> various commands): >> >> make qemu_arm64_lwip_defconfig >> wget https://curl.se/ca/cacert.pem >> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config >> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config >> make olddefconfig >> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" >> qemu-system-aarch64 -M virt -nographic -cpu max \ >> -object rng-random,id=rng0,filename=/dev/urandom \ >> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin >> => dhcp >> # HTTPS transfer using the builtin CA certificates >> => wget https://www.google.com/ >> 18724 bytes transferred in 15 ms (1.2 MiB/s) >> # Disable certificate validation >> => wget cacert 0 0 >> # Unsafe HTTPS transfer >> => wget https://www.google.com/ >> WARNING: no CA certificates, HTTPS connections not authenticated >> 16570 bytes transferred in 15 ms (1.1 MiB/s) >> # Dowload and apply CA certificates from the net >> => wget https://curl.se/ca/cacert.pem >> WARNING: no CA certificates, HTTPS connections not authenticated >> ## >> 233263 bytes transferred in 61 ms (3.6 MiB/s) >> => wget cacert $fileaddr $filesize >> # Now HTTPS is authenticated against the new CA >> => wget https://www.google.com/ >> 18743 bytes transferred in 14 ms (1.3 MiB/s) >> # Drop the certificates again... >> => wget cacert 0 0 >> # Check that transfer is not secure >> => wget https://www.google.com/ >> WARNING: no CA certificates, HTTPS connections not authenticated >> # Restore the builtin CA >> => wget cacert builtin >> # No more WARNING >> => wget https://www.google.com/ >> 18738 bytes transferred in 15 ms (1.2 MiB/s) > > As part of v2, please update the documentation as well with some example > like the above (perhaps as enable X/Y/Z then at run time ...), thanks! Will do. Thanks,
Hi Jerome, On Thu, 27 Feb 2025 at 20:31, Jerome Forissier <jerome.forissier@linaro.org> wrote: > > > > On 2/27/25 19:06, Tom Rini wrote: > > On Thu, Feb 27, 2025 at 05:09:00PM +0100, Jerome Forissier wrote: > > > >> This series adds support for HTTP server authentication using root (CA) > >> certificates. > >> > >> As a first step, the wget command is extended to support a sub-command: > >> cacert <addr> <size>. The memory region shall contain the CA > >> certificates. With this, it is possible to load the certificates from > >> storage or get them from the network for example, which is convenient > >> for testing at least. The Kconfig symbol for this feature is > >> WGET_CACERT=y. > >> > >> Then new Kconfig symbols are added to support providing the certificates > >> at build time, as a DER or PEM encoded X509 collection: > >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > >> command as well as for the builtin way). [...] I don't know if we can do it in this patchset, but in the future, we could store the sha256 and the CA certificate path in a U-Boot elf section. Since we will soon have .rodata section with proper memory permissions, we could automatically download the cert in mem and make sure it's valid. Cheers /Ilias
This series adds support for HTTP server authentication using root (CA) certificates. As a first step, the wget command is extended to support a sub-command: cacert <addr> <size>. The memory region shall contain the CA certificates. With this, it is possible to load the certificates from storage or get them from the network for example, which is convenient for testing at least. The Kconfig symbol for this feature is WGET_CACERT=y. Then new Kconfig symbols are added to support providing the certificates at build time, as a DER or PEM encoded X509 collection: WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert command as well as for the builtin way). Here is a complete example (showing only the relevant output from the various commands): make qemu_arm64_lwip_defconfig wget https://curl.se/ca/cacert.pem echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://www.google.com/ 18724 bytes transferred in 15 ms (1.2 MiB/s) # Disable certificate validation => wget cacert 0 0 # Unsafe HTTPS transfer => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated 16570 bytes transferred in 15 ms (1.1 MiB/s) # Dowload and apply CA certificates from the net => wget https://curl.se/ca/cacert.pem WARNING: no CA certificates, HTTPS connections not authenticated ## 233263 bytes transferred in 61 ms (3.6 MiB/s) => wget cacert $fileaddr $filesize # Now HTTPS is authenticated against the new CA => wget https://www.google.com/ 18743 bytes transferred in 14 ms (1.3 MiB/s) # Drop the certificates again... => wget cacert 0 0 # Check that transfer is not secure => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated # Restore the builtin CA => wget cacert builtin # No more WARNING => wget https://www.google.com/ 18738 bytes transferred in 15 ms (1.2 MiB/s) Jerome Forissier (5): net: lwip: extend wget to support CA (root) certificates lwip: tls: enforce checking of server certificates based on CA availability lwip: tls: warn when no CA exists amd log certificate validation errors net: lwip: add support for built-in root certificates configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and MBEDTLS_LIB_X509_PEM cmd/Kconfig | 29 ++++++ cmd/net-lwip.c | 19 +++- configs/qemu_arm64_lwip_defconfig | 2 + .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- lib/mbedtls/Makefile | 3 + lib/mbedtls/mbedtls_def_config.h | 5 ++ net/lwip/Makefile | 6 ++ net/lwip/wget.c | 90 ++++++++++++++++++- 9 files changed, 158 insertions(+), 11 deletions(-)