Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2055652/?format=api
{ "id": 2055652, "url": "http://patchwork.ozlabs.org/api/patches/2055652/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20250305142650.2966738-5-jerome.forissier@linaro.org/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20250305142650.2966738-5-jerome.forissier@linaro.org>", "list_archive_url": null, "date": "2025-03-05T14:26:45", "name": "[v2,4/6] net: lwip: add support for built-in root certificates", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "607f8ba7eb38d637321729a221b4ba1833f8963c", "submitter": { "id": 69192, "url": "http://patchwork.ozlabs.org/api/people/69192/?format=api", "name": "Jerome Forissier", "email": "jerome.forissier@linaro.org" }, "delegate": { "id": 157425, "url": "http://patchwork.ozlabs.org/api/users/157425/?format=api", "username": "jforissier", "first_name": "Jerome", "last_name": "Forissier", "email": "jerome.forissier@linaro.org" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20250305142650.2966738-5-jerome.forissier@linaro.org/mbox/", "series": [ { "id": 447137, "url": "http://patchwork.ozlabs.org/api/series/447137/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=447137", "date": "2025-03-05T14:26:41", "name": "net: lwip: root certificates", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/447137/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2055652/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2055652/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=wQSj/Lei;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=linaro.org", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.b=\"wQSj/Lei\";\n\tdkim-atps=neutral", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=linaro.org", "phobos.denx.de;\n spf=pass smtp.mailfrom=jerome.forissier@linaro.org" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Z7FJx6kqQz1yVg\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 6 Mar 2025 01:28:17 +1100 (AEDT)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 90B1781420;\n\tWed, 5 Mar 2025 15:27:24 +0100 (CET)", "by phobos.denx.de (Postfix, from userid 109)\n id 6AC6181276; Wed, 5 Mar 2025 15:27:23 +0100 (CET)", "from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com\n [IPv6:2a00:1450:4864:20::32d])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id DDAB8811C1\n for <u-boot@lists.denx.de>; Wed, 5 Mar 2025 15:27:20 +0100 (CET)", "by mail-wm1-x32d.google.com with SMTP id\n 5b1f17b1804b1-43bcad638efso14366965e9.2\n for <u-boot@lists.denx.de>; Wed, 05 Mar 2025 06:27:20 -0800 (PST)", "from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.18\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 05 Mar 2025 06:27:18 -0800 (PST)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1741184840; x=1741789640; darn=lists.denx.de;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=Iw0NmlvEY0kN52IQfHtiNuKhb/OHaYv9SiWJGV1BIyA=;\n b=wQSj/LeiJRSLX1rxl9bXGhMvNfsgPruyx0izSaphMhaVhgvu5gFWrki8IGrEqXXZuv\n yfXc14jNUDiyPJfUuolLZ0aR6pquchW3EJUX8FMTXPDe0a8YMxYmQNLKg8gdgDfBjd/c\n bn0AzFWLMhPS6zNyhzqNyLgs3h55MvaAlzIYexcNQefMJDw/6J/n4SxSdguFXhARIJAa\n JScOTqla6U0iYEWukDgiIYZtCjm7GntZCVkt7xf91VK1zTNR1jml96fajAOzPYxyCzyJ\n MGJlJrBtYM4SiZ9R9830Bd2MiSeYoyBQr1J7LcAuCSuvND3egXVzAf3kN3yijhcjitGZ\n 33lg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1741184840; x=1741789640;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=Iw0NmlvEY0kN52IQfHtiNuKhb/OHaYv9SiWJGV1BIyA=;\n b=NyzdW9AFcmE4ltq8e0gyqx30SudNyXyoqXJREThniT5mbZHVtwwmF850OzZ4+3qp7H\n psvqSSS2xqWZ56oWS2lcCZaq1F5Rmn2TgJEYlhevxbp/o5pzcga2kvDN0FDMG+egJvxW\n lFX0dLa+Cx80flNteLOcerWXlh9Hj6oUTp4xghKrBlvQIL0zWIhfG6uNNDGyRTN5JJdo\n V5P0HD9uVU7q56e7V999E2ASV0TLLBou5NI/HlfpPHa37xMglwD0g5vYU+6KTTKRMOIN\n vz8DiWBWjvjFYiQCSw5wpYfZreigwibyaNtAtQSY/yi7Sw9O8AzZcAf6THFzJgPGSdZj\n Tg6w==", "X-Gm-Message-State": "AOJu0YzkHKoeOoYmvoB7IkIUODRhtplZGP3JmQL2Ki5rzA7LSq5MIrsS\n LiufUsHmR8TUqzz4bd1KsL2XeduJVnNYI4PzneOzCnPmCb1o5ocqZzFRrG+gY7i49q7VmaUJGFp\n C", "X-Gm-Gg": "ASbGncsKhYoBys38g1ooZ6+RKntdiR90kksKsZxZO3MRyQH6TE0AYqgrrU/rG6c/gGn\n QbOLYHrpnv4fvER2Gal5Wm6rTCc1WVwPBRx/M9zyYbRQbX4C94itM9GO73cI/Ud4dJQM4adZaab\n eQBizRgoSp3WBVHS7rkmqWm3q9A/o6KZ0lRVFcFUPrE0Me5Vm3Q3TaqmgdHDVqK7rmoExu15TmU\n hyZDn6Qmz3n+swYPtbld0zUVCXc2bf+Sp2AxTKvW80cmFdUhOci0JqS2vtb42vhq+zvbBnOkHFg\n /ThIQKhy/kVzCTAVeIqM0xe9tKLJuHZVBdFaU3BG+mVAb8kplr/HeQ==", "X-Google-Smtp-Source": "\n AGHT+IGcN6FLnTUr3ghyqAqUnlNtEQhwnfS9KEFTwlMhIu3XhWzwpZm5PwC91QNjlS5vtwsZuznHcA==", "X-Received": "by 2002:a05:600c:45c6:b0:43b:c034:57b1 with SMTP id\n 5b1f17b1804b1-43bd2aed7a7mr21852965e9.20.1741184838559;\n Wed, 05 Mar 2025 06:27:18 -0800 (PST)", "From": "Jerome Forissier <jerome.forissier@linaro.org>", "To": "u-boot@lists.denx.de", "Cc": "Ilias Apalodimas <ilias.apalodimas@linaro.org>,\n Jerome Forissier <jerome.forissier@linaro.org>,\n Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,\n Ramon Fried <rfried.dev@gmail.com>, Simon Glass <sjg@chromium.org>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>,\n Mattijs Korpershoek <mkorpershoek@baylibre.com>,\n Ibai Erkiaga <ibai.erkiaga-elorza@amd.com>,\n Michal Simek <michal.simek@amd.com>, Adriano Cordova <adrianox@gmail.com>", "Subject": "[PATCH v2 4/6] net: lwip: add support for built-in root certificates", "Date": "Wed, 5 Mar 2025 15:26:45 +0100", "Message-ID": "<20250305142650.2966738-5-jerome.forissier@linaro.org>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<20250305142650.2966738-1-jerome.forissier@linaro.org>", "References": "<20250305142650.2966738-1-jerome.forissier@linaro.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "Introduce Kconfig symbols WGET_BUILTIN_CACERT and\nWGET_BUILTIN_CACERT_PATH to provide root certificates at build time.\n\nUsage example:\n\n wget -O cacert.crt https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt\n make qemu_arm64_lwip_defconfig\n echo CONFIG_WGET_BUILTIN_CACERT=y >>.config\n echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.crt >>.config\n make olddefconfig\n make -j$(nproc) CROSS_COMPILE=\"ccache aarch64-linux-gnu-\"\n qemu-system-aarch64 -M virt -nographic -cpu max \\\n -object rng-random,id=rng0,filename=/dev/urandom \\\n -device virtio-rng-pci,rng=rng0 -bios u-boot.bin\n => dhcp\n # HTTPS transfer using the builtin CA certificates\n => wget https://digicert-tls-ecc-p384-root-g5.chain-demos.digicert.com/\n 1867 bytes transferred in 1 ms (1.8 MiB/s)\n Bytes transferred = 1867 (74b hex)\n\nSigned-off-by: Jerome Forissier <jerome.forissier@linaro.org>\n---\n cmd/Kconfig | 14 ++++++++++++\n cmd/net-lwip.c | 4 ++++\n net/lwip/Makefile | 6 +++++\n net/lwip/wget.c | 57 +++++++++++++++++++++++++++++++++++++++--------\n 4 files changed, 72 insertions(+), 9 deletions(-)", "diff": "diff --git a/cmd/Kconfig b/cmd/Kconfig\nindex d469217c0ea..312bf94d4e8 100644\n--- a/cmd/Kconfig\n+++ b/cmd/Kconfig\n@@ -2185,6 +2185,20 @@ config WGET_CACERT\n \t Adds the \"cacert\" sub-command to wget to provide root certificates\n \t to the HTTPS engine. Must be in DER format.\n \n+config WGET_BUILTIN_CACERT\n+\tbool \"Built-in CA certificates\"\n+\tdepends on WGET_HTTPS\n+\tselect BUILD_BIN2C\n+\n+config WGET_BUILTIN_CACERT_PATH\n+\tstring \"Path to root certificates\"\n+\tdepends on WGET_BUILTIN_CACERT\n+\tdefault \"cacert.crt\"\n+\thelp\n+\t Set this to the path to a DER-encoded X509 file containing\n+\t Certification Authority certificates, a.k.a. root certificates, for\n+\t the purpose of authenticating HTTPS connections.\n+\n endif # if CMD_NET\n \n config CMD_PXE\ndiff --git a/cmd/net-lwip.c b/cmd/net-lwip.c\nindex 1152c94a6dc..58c10fbec7d 100644\n--- a/cmd/net-lwip.c\n+++ b/cmd/net-lwip.c\n@@ -41,6 +41,10 @@ U_BOOT_CMD(wget, 4, 1, do_wget,\n \t \" - provide CA certificates (0 0 to remove current)\"\n \t \"\\nwget cacert none|optional|required\\n\"\n \t \" - set server certificate verification mode (default: optional)\"\n+#if defined(CONFIG_WGET_BUILTIN_CACERT)\n+\t \"\\nwget cacert builtin\\n\"\n+\t \" - use the builtin CA certificates\"\n+#endif\n #endif\n );\n #endif\ndiff --git a/net/lwip/Makefile b/net/lwip/Makefile\nindex 79dd6b3fb50..950c5316bb9 100644\n--- a/net/lwip/Makefile\n+++ b/net/lwip/Makefile\n@@ -6,3 +6,9 @@ obj-$(CONFIG_CMD_DNS) += dns.o\n obj-$(CONFIG_CMD_PING) += ping.o\n obj-$(CONFIG_CMD_TFTPBOOT) += tftp.o\n obj-$(CONFIG_WGET) += wget.o\n+\n+ifeq (y,$(CONFIG_WGET_BUILTIN_CACERT))\n+$(obj)/builtin_cacert.c: $(CONFIG_WGET_BUILTIN_CACERT_PATH:\"%\"=%) FORCE\n+\t$(call if_changed,bin2c,builtin_cacert)\n+obj-y += builtin_cacert.o\n+endif\ndiff --git a/net/lwip/wget.c b/net/lwip/wget.c\nindex c22843ee10d..ec098148835 100644\n--- a/net/lwip/wget.c\n+++ b/net/lwip/wget.c\n@@ -304,28 +304,34 @@ static int set_auth(enum auth_mode auth)\n \n \treturn CMD_RET_SUCCESS;\n }\n+#endif\n \n-static int set_cacert(char * const saddr, char * const ssz)\n+#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+extern const char builtin_cacert[];\n+extern const size_t builtin_cacert_size;\n+static bool cacert_initialized;\n+#endif\n+\n+#if CONFIG_IS_ENABLED(WGET_CACERT) || CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+static int _set_cacert(const void *addr, size_t sz)\n {\n \tmbedtls_x509_crt crt;\n-\tulong addr, sz;\n+\tvoid *p;\n \tint ret;\n \n \tif (cacert)\n \t\tfree(cacert);\n \n-\taddr = hextoul(saddr, NULL);\n-\tsz = hextoul(ssz, NULL);\n-\n \tif (!addr) {\n \t\tcacert = NULL;\n \t\tcacert_size = 0;\n \t\treturn CMD_RET_SUCCESS;\n \t}\n \n-\tcacert = malloc(sz);\n-\tif (!cacert)\n+\tp = malloc(sz);\n+\tif (!p)\n \t\treturn CMD_RET_FAILURE;\n+\tcacert = p;\n \tcacert_size = sz;\n \n \tmemcpy(cacert, (void *)addr, sz);\n@@ -340,10 +346,32 @@ static int set_cacert(char * const saddr, char * const ssz)\n \t\treturn CMD_RET_FAILURE;\n \t}\n \n+#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+\tcacert_initialized = true;\n+#endif\n \treturn CMD_RET_SUCCESS;\n }\n+\n+#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+static int set_cacert_builtin(void)\n+{\n+\treturn _set_cacert(builtin_cacert, builtin_cacert_size);\n+}\n #endif\n \n+#if CONFIG_IS_ENABLED(WGET_CACERT)\n+static int set_cacert(char * const saddr, char * const ssz)\n+{\n+\tulong addr, sz;\n+\n+\taddr = hextoul(saddr, NULL);\n+\tsz = hextoul(ssz, NULL);\n+\n+\treturn _set_cacert((void *)addr, sz);\n+}\n+#endif\n+#endif /* CONFIG_WGET_CACERT || CONFIG_WGET_BUILTIN_CACERT */\n+\n static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)\n {\n #if CONFIG_IS_ENABLED(WGET_HTTPS)\n@@ -373,8 +401,15 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)\n \tmemset(&conn, 0, sizeof(conn));\n #if CONFIG_IS_ENABLED(WGET_HTTPS)\n \tif (is_https) {\n-\t\tchar *ca = cacert;\n-\t\tsize_t ca_sz = cacert_size;\n+\t\tchar *ca;\n+\t\tsize_t ca_sz;\n+\n+#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+\t\tif (!cacert_initialized)\n+\t\t\tset_cacert_builtin();\n+#endif\n+\t\tca = cacert;\n+\t\tca_sz = cacert_size;\n \n \t\tif (cacert_auth_mode == AUTH_REQUIRED) {\n \t\t\tif (!ca || !ca_sz) {\n@@ -455,6 +490,10 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[])\n \tif (argc == 4 && !strncmp(argv[1], \"cacert\", strlen(\"cacert\")))\n \t\treturn set_cacert(argv[2], argv[3]);\n \tif (argc == 3 && !strncmp(argv[1], \"cacert\", strlen(\"cacert\"))) {\n+#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT)\n+\t\tif (!strncmp(argv[2], \"builtin\", strlen(\"builtin\")))\n+\t\t\treturn set_cacert_builtin();\n+#endif\n \t\tif (!strncmp(argv[2], \"none\", strlen(\"none\")))\n \t\t\treturn set_auth(AUTH_NONE);\n \t\tif (!strncmp(argv[2], \"optional\", strlen(\"optional\")))\n", "prefixes": [ "v2", "4/6" ] }