[U-Boot] booting signed Images
Wolfgang Denk
wd at denx.de
Mon May 5 21:19:11 CEST 2014
Dear Simon,
In message <CAPnjgZ3OKQ8UZMOrQ7m7zWDWsFa2yZqCT2F69sKwgjDymOzePw at mail.gmail.com> you wrote:
>
> >> There is a 'required' property in the public keys which is intended to
> >> support this. If you mark a key as 'required then it will need to be
> >> verified by any image that is loaded. There is a test for this case,
> >> but it may not be comprehensive.
> >
> > But what about legacy uImage files? It appears nothing would stop
> > booting one of those?
>
> That's right, there is nothing to stop that at present. The
> verification happens either on each image (for per-image signing) or
> on the selected configuration as a whole (in fit_image_load() when it
> sees the kernel being loaded).
>
> One simple solution might be to check a CONFIG option in
> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
This makes sense to me. Thanks!
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I haven't lost my mind -- it's backed up on tape somewhere.
More information about the U-Boot
mailing list