diff mbox series

[09/16] Kbuild: Add PKCS11 option

Message ID 20200916135825.40367-10-bage@linutronix.de
State Accepted
Headers show
Series wolfssl SSL impl, PKCS#11 AES, AES key len | expand

Commit Message

Bastian Germann Sept. 16, 2020, 1:58 p.m. UTC 
From: Bastian Germann <bage@linutronix.de>

Add an option to enable PKCS#11-based image encryption with wolfSSL's
PKCS#11 support. p11-kit is used for PKCS#11 URI parsing.

Signed-off-by: Bastian Germann <bage@linutronix.de>
Acked-by: Torben Hohn <torben.hohn@linutronix.de>
---
 Kconfig          | 13 +++++++++++++
 Makefile.deps    |  4 ++++
 Makefile.flags   |  7 +++++++
 corelib/Makefile |  8 ++++++++
 test/Makefile    |  2 ++
 5 files changed, 34 insertions(+)
diff mbox series

Patch

diff --git a/Kconfig b/Kconfig
index 2d2cca6..9c4e520 100644
--- a/Kconfig
+++ b/Kconfig
@@ -85,6 +85,10 @@  config HAVE_MBEDTLS
 	bool
 	option env="HAVE_MBEDTLS"
 
+config HAVE_P11KIT
+	bool
+	option env="HAVE_P11KIT"
+
 config HAVE_JSON_C
 	bool
 	option env="HAVE_JSON_C"
@@ -462,6 +466,15 @@  config ENCRYPTED_IMAGES
 comment "Image encryption needs an SSL implementation"
 	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
+config PKCS11
+	bool "Enable PKCS#11 cryptographic operations"
+	default n
+	depends on HAVE_WOLFSSL && HAVE_P11KIT && ENCRYPTED_IMAGES
+	help
+	  Enable using PKCS#11 for AES decryption instead of having the plain
+	  key available in a file. This is implemented with wolfSSL independent
+	  from the SSL implementation and replaces the plain key method.
+
 source suricatta/Config.in
 
 source mongoose/Config.in
diff --git a/Makefile.deps b/Makefile.deps
index 0949628..e93367f 100644
--- a/Makefile.deps
+++ b/Makefile.deps
@@ -70,6 +70,10 @@  ifeq ($(HAVE_MBEDTLS),)
 export HAVE_MBEDTLS = y
 endif
 
+ifeq ($(HAVE_P11KIT),)
+export HAVE_P11KIT = y
+endif
+
 ifeq ($(HAVE_JSON_C),)
 export HAVE_JSON_C = y
 endif
diff --git a/Makefile.flags b/Makefile.flags
index 0ccd841..8b4a95c 100644
--- a/Makefile.flags
+++ b/Makefile.flags
@@ -152,6 +152,13 @@  endif
 ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
 KBUILD_CPPFLAGS += -I/usr/include/wolfssl -DOPENSSL_ALL -DWOLFSSL_APACHE_HTTPD
 LDLIBS += wolfssl
+else ifeq ($(CONFIG_PKCS11),y)
+LDLIBS += wolfssl
+endif
+
+ifeq ($(CONFIG_PKCS11),y)
+KBUILD_CPPFLAGS += -I/usr/include/p11-kit-1
+LDLIBS += p11-kit
 endif
 
 ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
diff --git a/corelib/Makefile b/corelib/Makefile
index 8a9fea0..526dad5 100644
--- a/corelib/Makefile
+++ b/corelib/Makefile
@@ -7,7 +7,11 @@  lib-$(CONFIG_MTD)		+= mtd-interface.o
 lib-$(CONFIG_LUA)		+= lua_interface.o lua_compat.o
 ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
 lib-$(CONFIG_HASH_VERIFY)	+= verify_signature.o
+ifeq ($(CONFIG_PKCS11),y)
+lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_decrypt_pkcs11.o
+else
 lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_decrypt.o
+endif
 lib-$(CONFIG_SIGALG_RAWRSA)	+= swupdate_rsa_verify.o
 lib-$(CONFIG_SIGALG_RSAPSS)	+= swupdate_rsa_verify.o
 endif
@@ -17,7 +21,11 @@  lib-$(CONFIG_SIGALG_CMS)	+= swupdate_cms_verify.o
 endif
 ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
 lib-$(CONFIG_HASH_VERIFY)	+= verify_signature_mbedtls.o
+ifeq ($(CONFIG_PKCS11),y)
+lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_decrypt_pkcs11.o
+else
 lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_decrypt_mbedtls.o
+endif
 lib-$(CONFIG_SIGALG_RAWRSA)	+= swupdate_rsa_verify_mbedtls.o
 lib-$(CONFIG_SIGALG_RSAPSS)	+= swupdate_rsa_verify_mbedtls.o
 endif
diff --git a/test/Makefile b/test/Makefile
index 2b2070a..747d973 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -15,7 +15,9 @@ 
 ## along with this program; if not, write to the Free Software
 ## Foundation, Inc.
 
+ifneq ($(CONFIG_PKCS11),y)
 tests-$(CONFIG_ENCRYPTED_IMAGES) += test_crypt
+endif
 tests-$(CONFIG_HASH_VERIFY) += test_hash
 ifeq ($(CONFIG_SIGALG_RAWRSA),y)
 tests-$(CONFIG_SIGNED_IMAGES) += test_verify