[security][mbedtls] add support for loading certificates from the file system#1987
[security][mbedtls] add support for loading certificates from the file system#1987Rbb666 merged 2 commits intoRT-Thread:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the RT-Thread package index entry for security/mbedtls to expose a new Kconfig option for loading CA certificates from a filesystem directory, aligning the package configuration with upstream support.
Changes:
- Add
PKG_USING_MBEDTLS_CERTS_FROM_FSmenuconfig option to enable loading CA certs from a directory. - Add
PKG_MBEDTLS_CERTS_DIRstring config to set the certificate directory path (default/romfs/certs). - Hide the “Select Root Certificate” menu when filesystem-based cert loading is enabled.
|
|
||
| menuconfig PKG_USING_MBEDTLS_CERTS_FROM_FS | ||
| bool "Load CA certificates from filesystem directory" | ||
| select RT_USING_DFS_ROMFS |
There was a problem hiding this comment.
[operational_implications/运行影响]: Selecting ROMFS conflicts with “filesystem directory” behavior / 选择 ROMFS 与“文件系统目录”行为不一致
English: PKG_USING_MBEDTLS_CERTS_FROM_FS currently select RT_USING_DFS_ROMFS, but the option/help and examples imply certificates can be loaded from an arbitrary runtime filesystem directory (e.g. /data/certs). Forcing ROMFS may enable an unnecessary filesystem backend and is inconsistent with non-ROMFS paths. Consider depending on/selecting the generic file/dir APIs actually required (e.g. RT_USING_POSIX_FS/DFS) and keep ROMFS as just the default path example rather than a hard requirement.
中文:PKG_USING_MBEDTLS_CERTS_FROM_FS 目前通过 select RT_USING_DFS_ROMFS 强制启用 ROMFS,但选项说明与示例表明证书目录可能来自任意运行时文件系统(例如 /data/certs)。强制 ROMFS 可能引入不必要的文件系统后端,并与非 ROMFS 路径不一致。建议改为依赖/选择实际需要的通用文件/目录接口(如 RT_USING_POSIX_FS/DFS),ROMFS 仅作为默认路径示例而非硬性依赖。
| select RT_USING_DFS_ROMFS |
| if PKG_USING_MBEDTLS | ||
|
|
||
| menuconfig PKG_USING_MBEDTLS_CERTS_FROM_FS | ||
| bool "Load CA certificates from filesystem directory" |
There was a problem hiding this comment.
[spelling/拼写与措辞]: Grammar in prompt string / 选项提示语法不完整
English: The prompt text "Load CA certificates from filesystem directory" is missing an article and reads awkwardly. Consider changing it to "Load CA certificates from a filesystem directory" (or "from the filesystem").
中文:提示语 "Load CA certificates from filesystem directory" 缺少冠词,语句不够通顺。建议改为 "Load CA certificates from a filesystem directory"(或 "from the filesystem")。
| bool "Load CA certificates from filesystem directory" | |
| bool "Load CA certificates from a filesystem directory" |
|
|
||
| if PKG_USING_MBEDTLS | ||
|
|
||
| menuconfig PKG_USING_MBEDTLS_CERTS_FROM_FS |
There was a problem hiding this comment.
[discrepancy_with_pr_description/PR 描述]: PR description is only a link / PR 描述仅包含链接
English: The PR description only links to an upstream PR and doesn’t summarize What/Why/How for this repository change (e.g., which Kconfig symbols are added and why). Please add a brief description and list the modified file(s) to make review and future archaeology easier.
中文:PR 描述仅提供了上游 PR 链接,没有说明本仓库的变更内容与动机(What/Why/How,例如新增了哪些 Kconfig 符号、目的是什么)。建议补充简要说明并列出修改文件,便于评审与后续追溯。
RT-Thread-packages/mbedtls#61