@@ -85,6 +85,10 @@ config HAVE_MBEDTLS
bool
option env="HAVE_MBEDTLS"
+config HAVE_P11KIT
+ bool
+ option env="HAVE_P11KIT"
+
config HAVE_JSON_C
bool
option env="HAVE_JSON_C"
@@ -462,6 +466,15 @@ config ENCRYPTED_IMAGES
comment "Image encryption needs an SSL implementation"
depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
+config PKCS11
+ bool "Enable PKCS#11 cryptographic operations"
+ default n
+ depends on HAVE_WOLFSSL && HAVE_P11KIT && ENCRYPTED_IMAGES
+ help
+ Enable using PKCS#11 for AES decryption instead of having the plain
+ key available in a file. This is implemented with wolfSSL independent
+ from the SSL implementation and replaces the plain key method.
+
source suricatta/Config.in
source mongoose/Config.in
@@ -70,6 +70,10 @@ ifeq ($(HAVE_MBEDTLS),)
export HAVE_MBEDTLS = y
endif
+ifeq ($(HAVE_P11KIT),)
+export HAVE_P11KIT = y
+endif
+
ifeq ($(HAVE_JSON_C),)
export HAVE_JSON_C = y
endif
@@ -152,6 +152,13 @@ endif
ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
KBUILD_CPPFLAGS += -I/usr/include/wolfssl -DOPENSSL_ALL -DWOLFSSL_APACHE_HTTPD
LDLIBS += wolfssl
+else ifeq ($(CONFIG_PKCS11),y)
+LDLIBS += wolfssl
+endif
+
+ifeq ($(CONFIG_PKCS11),y)
+KBUILD_CPPFLAGS += -I/usr/include/p11-kit-1
+LDLIBS += p11-kit
endif
ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
@@ -7,7 +7,11 @@ lib-$(CONFIG_MTD) += mtd-interface.o
lib-$(CONFIG_LUA) += lua_interface.o lua_compat.o
ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
lib-$(CONFIG_HASH_VERIFY) += verify_signature.o
+ifeq ($(CONFIG_PKCS11),y)
+lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt.o
+endif
lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o
lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o
endif
@@ -17,7 +21,11 @@ lib-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o
endif
ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
lib-$(CONFIG_HASH_VERIFY) += verify_signature_mbedtls.o
+ifeq ($(CONFIG_PKCS11),y)
+lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
+endif
lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
endif
@@ -15,7 +15,9 @@
## along with this program; if not, write to the Free Software
## Foundation, Inc.
+ifneq ($(CONFIG_PKCS11),y)
tests-$(CONFIG_ENCRYPTED_IMAGES) += test_crypt
+endif
tests-$(CONFIG_HASH_VERIFY) += test_hash
ifeq ($(CONFIG_SIGALG_RAWRSA),y)
tests-$(CONFIG_SIGNED_IMAGES) += test_verify