[U-Boot] Secure update of uboot devices?

[Andreas Bäck]

Hello

Our linux boxes with Uboot and frescale mpc5200B are set at production with
software and that is no problem.
But then when the need to update software afterwards in the field is today
only so simple that if uboot finds a usb stick with a file uImage then it
will start that and do all the updates.
What I am after a litle more tamperproff way of knowing that the software
that is updated to these hardware software are not totally modified /
hacked.

If one could have e.g uboot to verify uImage that it signed with right
private key (The software in production would have compiled in the public
part),
I relize it can be hard to prevent all things with our current hardware but
if one could at last rise the level so that at least some jtag debugger is
need to modify the content and not only a only basic tools
found in any windows/linux computer. We are also starting to design next
generation of hardware and here more can be done in the hardware to rise
the bar even more.

Or have you any other suggestion on how this could be improved?

Thanks in advance