ta: pkcs11: default disable raw RSA mechanism, default enable in plat-vexpress #7176
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Preferably with |
etienne-lms
force-pushed
the
pkcs11-raw-rsa
branch
from
d84f95e to
66d8e46
Compare
Disable CFG_PKCS11_TA_RSA_X_509 in pkcs11 TA default configuration since raw RSA signature (CKM_RSA_X_509) computation and verification can be unsafe. Target systems willing to embed its support (e.g. for some TSL v1.2 support) will need to enable it explicitly. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jerome Forissier <[email protected]>
Default enable PKCS#11 TA config switch CFG_PKCS11_TA_RSA_X_509 to embed this feature in the TA test environment. Raw RSA is no more a recommended feature but can be required for some TLS v1.2 feature support. Therefore CFG_PKCS11_TA_RSA_X_509 has been disable in PKCS#11 TA default configuration but should still be supported hence we enable it in vexpress platforms that are intended to test and development environments. Signed-off-by: Etienne Carriere <[email protected]> Acked-by: Jerome Forissier <[email protected]>
etienne-lms
force-pushed
the
pkcs11-raw-rsa
branch
from
66d8e46 to
98328d9
Compare
|
Commit message fixed and review tag applied. |
|
I've triggered a CI test round since recent merges in build.git should now lead to an all-success status. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Raw RSA signature (PKCS#11 mechanism CKM_RSA_X_509) is not a recommended scheme because unsafe when used with unsafe padding schemes. It's been added in the pkcs11 TA because needed for some TLS v1.2 scenario. I propose to disable it in the pkcs11 TA default config to prevent confusion but enable it in plat-vexpress default config so that it is tested (build + xtest).