| Message ID | 20240903100952.3789698-1-lars@underjord.io |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [v3] package/wpa_supplicant: add Smart card option | expand |
Hi I submitted a v3 which I see in patchwork but I don't see it in my sent email so I'm uncertain about whether it reached the list okay. Link in patchwork: https://patchwork.ozlabs.org/project/buildroot/patch/20240903100952.3789698-1-lars@underjord.io/ -Lars On Tue, Sep 3, 2024 at 12:09 PM Lars Wikman <lars@underjord.io> wrote: > CONFIG_SMARTCARD was unconditionally disabled which has meant that > even if OpenSSL is compiled with engine support and the supplicant > is configured to use an engine it would warn that it was compiled > without engine support. > > This mechanism is used to enable the more secure forms of 802.1x > networking authentication such as EAP-TLS with hardware-delegated > cryptography and private keys protected in hardware. > > It is still disabled by default in case there was an original reason. > > Enabling the option will allow delegating private key access to TPM2, > ARM TrustZone and other specialized secure hardware for establishing > a network connection. > > Signed-off-by: Lars Wikman <lars@underjord.io> > > --- > Changes v1 -> v2: > - Change option name to focus on smartcard (suggested by Sergey) > Changes v2 -> v3: > - Change setting disabled to match convention (suggested by Baruch) > > Signed-off-by: Lars Wikman <lars@underjord.io> > --- > package/wpa_supplicant/Config.in | 6 ++++++ > package/wpa_supplicant/wpa_supplicant.mk | 9 ++++++--- > 2 files changed, 12 insertions(+), 3 deletions(-) > > diff --git a/package/wpa_supplicant/Config.in > b/package/wpa_supplicant/Config.in > index 92953f69f0..2aee108fc1 100644 > --- a/package/wpa_supplicant/Config.in > +++ b/package/wpa_supplicant/Config.in > @@ -175,4 +175,10 @@ config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION > help > Add introspection support for the DBus control interface. > > +config BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD > + bool "Smartcard support" > + help > + Enable the smart card support. Required for OpenSSL engines > + to work using PKCS11 and 802.1x > + > endif > diff --git a/package/wpa_supplicant/wpa_supplicant.mk > b/package/wpa_supplicant/wpa_supplicant.mk > index 984959f679..6199e584d0 100644 > --- a/package/wpa_supplicant/wpa_supplicant.mk > +++ b/package/wpa_supplicant/wpa_supplicant.mk > @@ -24,9 +24,6 @@ WPA_SUPPLICANT_CONFIG_ENABLE = \ > CONFIG_INTERNAL_LIBTOMMATH \ > CONFIG_MATCH_IFACE > > -WPA_SUPPLICANT_CONFIG_DISABLE = \ > - CONFIG_SMARTCARD > - > # libnl-3 needs -lm (for rint) and -lpthread if linking statically > # And library order matters hence stick -lnl-3 first since it's appended > # in the wpa_supplicant Makefiles as in LIBS+=-lnl-3 ... thus failing > @@ -180,6 +177,12 @@ WPA_SUPPLICANT_DEPENDENCIES += readline > WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE > endif > > +ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD),y) > +WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_SMARTCARD > +else > +WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_SMARTCARD > +endif > + > ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),y) > define WPA_SUPPLICANT_ENABLE_CTRL_IFACE > sed -i '/ctrl_interface/s/^#//g' > $(TARGET_DIR)/etc/wpa_supplicant.conf > -- > 2.34.1 > >
Hi Lars, On Mon, Sep 09 2024, Lars Wikman wrote: > I submitted a v3 which I see in patchwork but I don't see it in my > sent email so I'm uncertain about whether it reached the list okay. > > Link in patchwork: https://patchwork.ozlabs.org/project/buildroot/patch/20240903100952.3789698-1-lars@underjord.io/ Patches are tracked on patchwork. If your patch is there, maintainers will get to it sooner or later. Your patch is also on the list archive: https://lore.kernel.org/all/20240903100952.3789698-1-lars@underjord.io/ So all looks OK. baruch > On Tue, Sep 3, 2024 at 12:09 PM Lars Wikman <lars@underjord.io> wrote: > > CONFIG_SMARTCARD was unconditionally disabled which has meant that > even if OpenSSL is compiled with engine support and the supplicant > is configured to use an engine it would warn that it was compiled > without engine support. > > This mechanism is used to enable the more secure forms of 802.1x > networking authentication such as EAP-TLS with hardware-delegated > cryptography and private keys protected in hardware. > > It is still disabled by default in case there was an original reason. > > Enabling the option will allow delegating private key access to TPM2, > ARM TrustZone and other specialized secure hardware for establishing > a network connection. > > Signed-off-by: Lars Wikman <lars@underjord.io> > > --- > Changes v1 -> v2: > - Change option name to focus on smartcard (suggested by Sergey) > Changes v2 -> v3: > - Change setting disabled to match convention (suggested by Baruch) > > Signed-off-by: Lars Wikman <lars@underjord.io> > --- > package/wpa_supplicant/Config.in | 6 ++++++ > package/wpa_supplicant/wpa_supplicant.mk⚠️ | 9 ++++++--- > 2 files changed, 12 insertions(+), 3 deletions(-) > > diff --git a/package/wpa_supplicant/Config.in b/package/wpa_supplicant/Config.in > index 92953f69f0..2aee108fc1 100644 > --- a/package/wpa_supplicant/Config.in > +++ b/package/wpa_supplicant/Config.in > @@ -175,4 +175,10 @@ config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION > help > Add introspection support for the DBus control interface. > > +config BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD > + bool "Smartcard support" > + help > + Enable the smart card support. Required for OpenSSL engines > + to work using PKCS11 and 802.1x > + > endif > diff --git a/package/wpa_supplicant/wpa_supplicant.mk⚠️ b/package/wpa_supplicant/wpa_supplicant.mk⚠️ > index 984959f679..6199e584d0 100644 > --- a/package/wpa_supplicant/wpa_supplicant.mk⚠️ > +++ b/package/wpa_supplicant/wpa_supplicant.mk⚠️ > @@ -24,9 +24,6 @@ WPA_SUPPLICANT_CONFIG_ENABLE = \ > CONFIG_INTERNAL_LIBTOMMATH \ > CONFIG_MATCH_IFACE > > -WPA_SUPPLICANT_CONFIG_DISABLE = \ > - CONFIG_SMARTCARD > - > # libnl-3 needs -lm (for rint) and -lpthread if linking statically > # And library order matters hence stick -lnl-3 first since it's appended > # in the wpa_supplicant Makefiles as in LIBS+=-lnl-3 ... thus failing > @@ -180,6 +177,12 @@ WPA_SUPPLICANT_DEPENDENCIES += readline > WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE > endif > > +ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD),y) > +WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_SMARTCARD > +else > +WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_SMARTCARD > +endif > + > ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),y) > define WPA_SUPPLICANT_ENABLE_CTRL_IFACE > sed -i '/ctrl_interface/s/^#//g' $(TARGET_DIR)/etc/wpa_supplicant.conf > -- > 2.34.1 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
Good, thanks :) On Mon, Sep 9, 2024 at 9:46 AM Baruch Siach <baruch@tkos.co.il> wrote: > Hi Lars, > > On Mon, Sep 09 2024, Lars Wikman wrote: > > I submitted a v3 which I see in patchwork but I don't see it in my > > sent email so I'm uncertain about whether it reached the list okay. > > > > Link in patchwork: > https://patchwork.ozlabs.org/project/buildroot/patch/20240903100952.3789698-1-lars@underjord.io/ > > Patches are tracked on patchwork. If your patch is there, maintainers > will get to it sooner or later. > > Your patch is also on the list archive: > > https://lore.kernel.org/all/20240903100952.3789698-1-lars@underjord.io/ > > So all looks OK. > > baruch > > > On Tue, Sep 3, 2024 at 12:09 PM Lars Wikman <lars@underjord.io> wrote: > > > > CONFIG_SMARTCARD was unconditionally disabled which has meant that > > even if OpenSSL is compiled with engine support and the supplicant > > is configured to use an engine it would warn that it was compiled > > without engine support. > > > > This mechanism is used to enable the more secure forms of 802.1x > > networking authentication such as EAP-TLS with hardware-delegated > > cryptography and private keys protected in hardware. > > > > It is still disabled by default in case there was an original reason. > > > > Enabling the option will allow delegating private key access to TPM2, > > ARM TrustZone and other specialized secure hardware for establishing > > a network connection. > > > > Signed-off-by: Lars Wikman <lars@underjord.io> > > > > --- > > Changes v1 -> v2: > > - Change option name to focus on smartcard (suggested by Sergey) > > Changes v2 -> v3: > > - Change setting disabled to match convention (suggested by Baruch) > > > > Signed-off-by: Lars Wikman <lars@underjord.io> > > --- > > package/wpa_supplicant/Config.in | 6 ++++++ > > package/wpa_supplicant/wpa_supplicant.mk⚠️ | 9 ++++++--- > > 2 files changed, 12 insertions(+), 3 deletions(-) > > > > diff --git a/package/wpa_supplicant/Config.in > b/package/wpa_supplicant/Config.in > > index 92953f69f0..2aee108fc1 100644 > > --- a/package/wpa_supplicant/Config.in > > +++ b/package/wpa_supplicant/Config.in > > @@ -175,4 +175,10 @@ config > BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION > > help > > Add introspection support for the DBus control interface. > > > > +config BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD > > + bool "Smartcard support" > > + help > > + Enable the smart card support. Required for OpenSSL engines > > + to work using PKCS11 and 802.1x > > + > > endif > > diff --git a/package/wpa_supplicant/wpa_supplicant.mk⚠️ > b/package/wpa_supplicant/wpa_supplicant.mk⚠️ > > index 984959f679..6199e584d0 100644 > > --- a/package/wpa_supplicant/wpa_supplicant.mk⚠️ > > +++ b/package/wpa_supplicant/wpa_supplicant.mk⚠️ > > @@ -24,9 +24,6 @@ WPA_SUPPLICANT_CONFIG_ENABLE = \ > > CONFIG_INTERNAL_LIBTOMMATH \ > > CONFIG_MATCH_IFACE > > > > -WPA_SUPPLICANT_CONFIG_DISABLE = \ > > - CONFIG_SMARTCARD > > - > > # libnl-3 needs -lm (for rint) and -lpthread if linking statically > > # And library order matters hence stick -lnl-3 first since it's > appended > > # in the wpa_supplicant Makefiles as in LIBS+=-lnl-3 ... thus failing > > @@ -180,6 +177,12 @@ WPA_SUPPLICANT_DEPENDENCIES += readline > > WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE > > endif > > > > +ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD),y) > > +WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_SMARTCARD > > +else > > +WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_SMARTCARD > > +endif > > + > > ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),y) > > define WPA_SUPPLICANT_ENABLE_CTRL_IFACE > > sed -i '/ctrl_interface/s/^#//g' > $(TARGET_DIR)/etc/wpa_supplicant.conf > > -- > > 2.34.1 > > > > _______________________________________________ > > buildroot mailing list > > buildroot@buildroot.org > > https://lists.buildroot.org/mailman/listinfo/buildroot > > -- > ~. .~ Tk Open > Systems > =}------------------------------------------------ooO--U--Ooo------------{= > - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il - >
Hello Lars, On Tue, 3 Sep 2024 12:09:52 +0200 Lars Wikman <lars@underjord.io> wrote: > CONFIG_SMARTCARD was unconditionally disabled which has meant that > even if OpenSSL is compiled with engine support and the supplicant > is configured to use an engine it would warn that it was compiled > without engine support. > > This mechanism is used to enable the more secure forms of 802.1x > networking authentication such as EAP-TLS with hardware-delegated > cryptography and private keys protected in hardware. > > It is still disabled by default in case there was an original reason. > > Enabling the option will allow delegating private key access to TPM2, > ARM TrustZone and other specialized secure hardware for establishing > a network connection. > > Signed-off-by: Lars Wikman <lars@underjord.io> > > --- > Changes v1 -> v2: > - Change option name to focus on smartcard (suggested by Sergey) > Changes v2 -> v3: > - Change setting disabled to match convention (suggested by Baruch) Sorry for the delay in getting back to you. I reviewed/tested your patch, but I believe something needs to be improved, but I wasn't sure so I wasn't confident to do it myself. I built the following configuration: BR2_arm=y BR2_cortex_a9=y BR2_ARM_ENABLE_VFP=y BR2_TOOLCHAIN_EXTERNAL=y BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y BR2_INIT_NONE=y BR2_SYSTEM_BIN_SH_NONE=y # BR2_PACKAGE_BUSYBOX is not set BR2_PACKAGE_WPA_SUPPLICANT=y # BR2_PACKAGE_WPA_SUPPLICANT_NL80211 is not set BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD=y # BR2_TARGET_ROOTFS_TAR is not set which really has just wpa_supplicant with all options disabled except smartcard. And my understanding is that in this configuration... enabling the smartcard option is a no-op, because I don't even have OpenSSL enabled in my configuration. Since the smartcard option only affects the OpenSSL integration in wpa_supplicant, shouldn't this option have: select BR2_PACKAGE_OPENSSL select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL like the other options that need OpenSSL support? Thanks in advance for your feedback, Thomas
Hi Thanks for testing it out. I think you have the right idea. I can add those. -L On Tue, 29 Oct 2024 at 23:06, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > Hello Lars, > > On Tue, 3 Sep 2024 12:09:52 +0200 > Lars Wikman <lars@underjord.io> wrote: > > > CONFIG_SMARTCARD was unconditionally disabled which has meant that > > even if OpenSSL is compiled with engine support and the supplicant > > is configured to use an engine it would warn that it was compiled > > without engine support. > > > > This mechanism is used to enable the more secure forms of 802.1x > > networking authentication such as EAP-TLS with hardware-delegated > > cryptography and private keys protected in hardware. > > > > It is still disabled by default in case there was an original reason. > > > > Enabling the option will allow delegating private key access to TPM2, > > ARM TrustZone and other specialized secure hardware for establishing > > a network connection. > > > > Signed-off-by: Lars Wikman <lars@underjord.io> > > > > --- > > Changes v1 -> v2: > > - Change option name to focus on smartcard (suggested by Sergey) > > Changes v2 -> v3: > > - Change setting disabled to match convention (suggested by Baruch) > > Sorry for the delay in getting back to you. I reviewed/tested your > patch, but I believe something needs to be improved, but I wasn't sure > so I wasn't confident to do it myself. > > I built the following configuration: > > BR2_arm=y > BR2_cortex_a9=y > BR2_ARM_ENABLE_VFP=y > BR2_TOOLCHAIN_EXTERNAL=y > BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y > BR2_INIT_NONE=y > BR2_SYSTEM_BIN_SH_NONE=y > # BR2_PACKAGE_BUSYBOX is not set > BR2_PACKAGE_WPA_SUPPLICANT=y > # BR2_PACKAGE_WPA_SUPPLICANT_NL80211 is not set > BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD=y > # BR2_TARGET_ROOTFS_TAR is not set > > which really has just wpa_supplicant with all options disabled except > smartcard. And my understanding is that in this configuration... > enabling the smartcard option is a no-op, because I don't even have > OpenSSL enabled in my configuration. > > Since the smartcard option only affects the OpenSSL integration in > wpa_supplicant, shouldn't this option have: > > select BR2_PACKAGE_OPENSSL > select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL > > like the other options that need OpenSSL support? > > Thanks in advance for your feedback, > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com >
diff --git a/package/wpa_supplicant/Config.in b/package/wpa_supplicant/Config.in index 92953f69f0..2aee108fc1 100644 --- a/package/wpa_supplicant/Config.in +++ b/package/wpa_supplicant/Config.in @@ -175,4 +175,10 @@ config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION help Add introspection support for the DBus control interface. +config BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD + bool "Smartcard support" + help + Enable the smart card support. Required for OpenSSL engines + to work using PKCS11 and 802.1x + endif diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk index 984959f679..6199e584d0 100644 --- a/package/wpa_supplicant/wpa_supplicant.mk +++ b/package/wpa_supplicant/wpa_supplicant.mk @@ -24,9 +24,6 @@ WPA_SUPPLICANT_CONFIG_ENABLE = \ CONFIG_INTERNAL_LIBTOMMATH \ CONFIG_MATCH_IFACE -WPA_SUPPLICANT_CONFIG_DISABLE = \ - CONFIG_SMARTCARD - # libnl-3 needs -lm (for rint) and -lpthread if linking statically # And library order matters hence stick -lnl-3 first since it's appended # in the wpa_supplicant Makefiles as in LIBS+=-lnl-3 ... thus failing @@ -180,6 +177,12 @@ WPA_SUPPLICANT_DEPENDENCIES += readline WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_READLINE endif +ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_SMARTCARD),y) +WPA_SUPPLICANT_CONFIG_ENABLE += CONFIG_SMARTCARD +else +WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_SMARTCARD +endif + ifeq ($(BR2_PACKAGE_WPA_SUPPLICANT_CTRL_IFACE),y) define WPA_SUPPLICANT_ENABLE_CTRL_IFACE sed -i '/ctrl_interface/s/^#//g' $(TARGET_DIR)/etc/wpa_supplicant.conf