[Celinux-dev] RFC - Secure Bootloader patch
Stephen Johnson
steve at research.panasonic.com
Wed Aug 23 11:27:30 PDT 2006
Matt Mackall <mpm at selenic.com> writes:
> On Tue, Aug 22, 2006 at 03:57:27PM -0400, Stephen Johnson wrote:
>> At OLS last month I demoed a Secure Boot Loader that was based on a
>> u-boot that had been modified to verify an image signature using a
>> SHA1 digest and RSA encryption/decryption. Because I could find the
>> information fairly easily about SHA1 and RSA from the OpenSSL package,
>> that's what I used. Hence, the modified u-boot ran quite quickly, but
>> was rather large. I'm including the u-boot patch in this message so
>> that others can look at it for ways to cut the size. The eventual
>> goal is to release this patch to the community.
>>
>> Notes:
>> - The u-boot was downloaded from the u-boot git tree on August 1, but
>> the patch also applied cleanly with a u-boot version from June.
>> - I'm linking against openssl-0.9.8b.
>
> Bad news: I'm afraid this isn't allowed. The OpenSSL license is
> notorious for not being GPL-compatible and u-boot doesn't have an
> exception clause for linking with OpenSSL (the usual way to deal with
> this).
>
> Also note the GPL's library exception for libraries shipped with an
> operating system can't be made to apply here.
>
> Possible alternatives are GNU TLS and MatrixSSL.
>
Thanks for these alternate SSLs. My initial quick look at OpenSSL
said the license was BSDish. I guess the "ish" should have been the
key to investigate further. One of the reasons for posting this patch
was to draw out other libraries that might give a smaller footprint
for the resulting u-boot, so now there are more to try.
Steve
More information about the Celinux-dev
mailing list