[U-Boot] Verified boot and Legacy Kernel Images

Mike Pearce mike at kaew.be
Mon May 5 16:27:48 CEST 2014


Please help as I am confused.

I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
works fine with FIT images. However it still boots the resident legacy
kernal that has not been signed.

This means that anyone wishing to circumvent the signed hash can do so by
replacing the image file with a legacy one. That makes for a security hole
and so I must have done something wrong.

When I look at function bootm_find_os() from file cmd_bootm.c its switch
statement provides this behaviour -

 case IMAGE_FORMAT_LEGACY:
        cool, its a go from me. Verify using an unsigned hash.
        break;
#if defined(CONFIG_FIT)
  case IMAGE_FORMAT_FIT:
        do the signed hash checks when loading the image.
        break;

What I cannot find in the code is anything that I can compile in to prevent
an unsigned legacy kernel from booting. The defines I already used include

  #define CONFIG_OF_LIBFDT
  #define CONFIG_CMD_HASH
  #define CONFIG_HASH_VERIFY
  #define CONFIG_FIT_SIGNATURE
  #define CONFIG_RSA

Thanks,

Mike.


More information about the U-Boot mailing list