ta: pkcs11: default disable CFG_PKCS11_TA_RSA_X_509

Disable CFG_PKCS11_TA_RSA_X_509 in pkcs11 TA default configuration since raw RSA signature (CKM_RSA_X_509) computation and verification can be unsafe. Target systems willing to embed its support (e.g. for some TSL v1.2 support) will need to enable it explicitly. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jerome Forissier <[email protected]>
OP-TEE · Dec 13, 2024 · 8cf8403 · 8cf8403
1 parent c1e499a
commit 8cf8403
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ta/pkcs11/sub.mk b/ta/pkcs11/sub.mk
@@ -16,7 +16,7 @@ CFG_PKCS11_TA_CHECK_VALUE_ATTRIBUTE ?= y
 # When enabled, embed support for CKM_RSA_X_509 (a.k.a. Raw RSA) ciphering
 # and authentication. The feature can be needed for some TLS v1.2 connections.
 # Raw RSA can be unsafe if client uses a weak clear data padding scheme.
-CFG_PKCS11_TA_RSA_X_509 ?= y
+CFG_PKCS11_TA_RSA_X_509 ?= n
 
 global-incdirs-y += include
 global-incdirs-y += src