[U-Boot] Authenticated boot

Kees-Jan Hermans hermans at fox-it.com
Wed Aug 21 17:01:25 CEST 2013


Hello,



The last reference I could find about it, is an email from dec.17 2012, but I'd like to re-ignite the discussion. Also, I'm new here - forgive me if I'm asking stupid questions.



I'd like to implement a form of authenticated boot into u-boot. That is, I need it myself for a device that I'm making, and I'll gladly use anything if it is already available, but I don't think it is. For my solution, I'm assuming the existence (somewhere) to U-boot of the following three files/buffers:



- A boot-image (a RAM disk)

- A public key (type RSA in some format, perhaps more simple than x509 pem to keep additional source code small)

- A signature



and a function, based on those three files (I suppose that - although difficult - the signature can be part of the boot-image, while the public key may have to be in a boot-flash partition), that tells U-boot whether booting the image is Ok or not (and not booting when it's not Ok).



I propose to do this, not using hardware encryption (which might not always be available and, in my case, I'm not even allowed to use) or openssl (which is a monster), but (parts of - which is, unlike openssl, quite easy) polarssl for the crypto.



That is, of course, unless this feature already exists, which I would very much like to hear. Thanks for your time,



KJ


More information about the U-Boot mailing list