wolfssl and pkcs11 build error

126 views
Skip to first unread message

Matt Wood

unread,
Feb 21, 2024, 2:19:15 PM2/21/24
to swupdate
Hi all,

has anyone built swupdate with wolfssl and pkcs11 support for decrypting encrypted images recently?

CONFIG_PKCS11 documentation states that it is implemented with wolfssl independent from the main SSL implementation.  Currently openSSL is enabled and I simply wanted to test PKCS11 decryption support.

I had to modify the swupdate bbappend to add DEPENDS += "wolfssl"  to get past an initial build error.  Now I am getting an error in swupdate that it cannot find p11-kit/uri.h which is included from sslapi.h

I tried adding DEPENDS += "wolfssl p11-kit" to the swupdate bbappend but that did not work.

Another question is why does swupdate only support PKCS11 for wolfssl (for encrypted images)?  I found the initial patch series that adds PKCS11 support using wolfssl because openssl required an engine initialization but this could be perfectly acceptable for a situation where one does not want to use wolfssl.

Or is there some other reason why openSSL should not be used?

Thanks, Matt.

Stefano Babic

unread,
Feb 21, 2024, 4:42:16 PM2/21/24
to Matt Wood, swupdate
Hi Matt,
By pure chance I talked this week with someone about TPM2 support in
SWUpdate, and I took a deeper look inside the current status.

And yes, there is the issues you found, but even fixing the p11-kit
topic, it is far away to be good. I have found several other issues if I
switch to another implementation than openssl (you can even select
pkcs#11 without selecting wolfssl for example).

In fact, there are several contamination between the supported crypto
libraries (openssl vs wolfssl vs mbedtls vs gpg). The introduction of
new libraries was added, but this was done by fixing build issues and
making the code less maintainable.

This led me to send today a patch as TODO
(https://groups.google.com/g/swupdate/c/UURURVu5egA) with:

" rework support for crypto engine - let possible to load multiple
libraries at the same time. Currently, there is support for openSSL,
WolfSSL and mbedTLS. There should be a way to select one or more
libraries and independently the algorithms that SWUpdate should support.
Some hacks are currently built to avoid conflicts (pkcs#7 and CMS are
the same thing, but supported by different libraries), and they should
be solved"

IMHO there are the following components to be identified and supported
in some way:

- crypto libraries: currently 4 libraries are supported, and it should
be possible to select one or all of them.

- services: SWUpdate asks for 3 type of services: hashing, decryption
and digest (verification). Each library offers all 3 or just some of
them, depending what is implemented.

- module: a "crypto" module should implement a service using one of the
possible algorithm. For example, openssl modules providing verification
are RSA and CMS. Decrypting will have pkcs#11. A pkcs#11 module can be
implemented with openssl or wolfssl, and the user / integrator should
just pick up what he wants.

If a system has more than one library, SWUpdate should be able to
support more modules at the same time.

So there is work to do - hopefully I will find a customer who is aware
of this or I can well explain, and needs some extensions to be
implemented, allowing me to fix this what it currently looks quite messy.

Best regards,
Stefano

ayoub...@googlemail.com

unread,
Feb 22, 2024, 3:12:43 AM2/22/24
to swupdate
Hello,

for the information only wolfssl support PKCS#11 AES :
  • OpenSSL has no support at all for Symetric Crypto over PKCS#11
  • Embedtls has dropped completly PKCS#11 support.
Best

Stefano Babic

unread,
Feb 22, 2024, 3:23:08 AM2/22/24
to ayoub...@googlemail.com, swupdate
Hi Ayoub,

On 22.02.24 09:12, 'ayoub...@googlemail.com' via swupdate wrote:
> Hello,
>
> for the information only wolfssl support PKCS#11 AES :
>
> * OpenSSL has no support at all for Symetric Crypto over PKCS#11
> * Embedtls has dropped completly PKCS#11 support.
>

Thanks for clarification.


Anyway, current support in SWUpdate is confusing. There should be a
decryption choice where PKCS#11 shows up if WolfSSL is turned on - but
as far as I know, there is pkcs#11 support in openssl for verifying
(digest), and this could be supported in future, too.

Regards,
Stefano
> <https://groups.google.com/g/swupdate/c/UURURVu5egA>) with:
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/swupdate/62243703-e11d-483c-8203-08c7ec4bbcdbn%40googlegroups.com <https://groups.google.com/d/msgid/swupdate/62243703-e11d-483c-8203-08c7ec4bbcdbn%40googlegroups.com?utm_medium=email&utm_source=footer>.

ayoub...@googlemail.com

unread,
Feb 22, 2024, 3:47:04 AM2/22/24
to swupdate
Hi Stefano,


Best,
Ayoub
Reply all
Reply to author
Forward
0 new messages