[U-Boot] Secure update of uboot devices?

[Simon Glass]

Hi Andreas,

On Sat, Mar 17, 2012 at 2:25 AM, Andreas Bäck <andreas.back778 at gmail.com> wrote:
> Hello
>
> Our linux boxes with Uboot and frescale mpc5200B are set at production with
> software and that is no problem.
> But then when the need to update software afterwards in the field is today
> only so simple that if uboot finds a usb stick with a file uImage then it
> will start that and do all the updates.
> What I am after a litle more tamperproff way of knowing that the software
> that is updated to these hardware software are not totally modified /
> hacked.
>
> If one could have e.g uboot to verify uImage that it signed with right
> private key (The software in production would have compiled in the public
> part),
> I relize it can be hard to prevent all things with our current hardware but
> if one could at last rise the level so that at least some jtag debugger is
> need to modify the content and not only a only basic tools
> found in any windows/linux computer. We are also starting to design next
> generation of hardware and here more can be done in the hardware to rise
> the bar even more.
>
> Or have you any other suggestion on how this could be improved?

I copied you on a series I sent a few days ago which implements
verified boot using RSA, using FIT as suggested by Wolfgang. That
might be closer to what you want.

Regards,
Simon

>
> Thanks in advance
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>