[U-Boot] booting signed Images

Simon Glass sjg at chromium.org
Mon May 5 20:31:07 CEST 2014


Hi Wolfgang,

On 5 May 2014 11:55, Wolfgang Denk <wd at denx.de> wrote:
> Dear Simon,
>
> In message <CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g at mail.gmail.com> you wrote:
>>
>> > Should we not prevent booting uImages or not signed FIT Images when
>> > CONFIG_FIT_SIGNATURE is defined?
>> > Or at least prevent booting such unsigned images through an U-Boot
>> > env variable.
>> >
>> > What Do you think?
>>
>> There is a 'required' property in the public keys which is intended to
>> support this. If you mark a key as 'required then it will need to be
>> verified by any image that is loaded. There is a test for this case,
>> but it may not be comprehensive.
>
> But what about legacy uImage files?  It appears nothing would stop
> booting one of those?

That's right, there is nothing to stop that at present. The
verification happens either on each image (for per-image signing) or
on the selected configuration as a whole (in fit_image_load() when it
sees the kernel being loaded).

One simple solution might be to check a CONFIG option in
boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.

Regards,
Simon


More information about the U-Boot mailing list