[U-Boot] Verified boot and Legacy Kernel Images
Heiko Schocher
hs at denx.de
Tue May 6 08:38:05 CEST 2014
Hello Mike,
Am 05.05.2014 16:27, schrieb Mike Pearce:
> Please help as I am confused.
>
> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
> works fine with FIT images. However it still boots the resident legacy
> kernal that has not been signed.
>
> This means that anyone wishing to circumvent the signed hash can do so by
> replacing the image file with a legacy one. That makes for a security hole
> and so I must have done something wrong.
No, you did nothing wrong ...
> When I look at function bootm_find_os() from file cmd_bootm.c its switch
> statement provides this behaviour -
>
> case IMAGE_FORMAT_LEGACY:
> cool, its a go from me. Verify using an unsigned hash.
> break;
> #if defined(CONFIG_FIT)
> case IMAGE_FORMAT_FIT:
> do the signed hash checks when loading the image.
> break;
>
> What I cannot find in the code is anything that I can compile in to prevent
> an unsigned legacy kernel from booting. The defines I already used include
>
> #define CONFIG_OF_LIBFDT
> #define CONFIG_CMD_HASH
> #define CONFIG_HASH_VERIFY
> #define CONFIG_FIT_SIGNATURE
> #define CONFIG_RSA
See this thread:
http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
in particular Simons statement:
http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
-> Currently, nothing prevents to boot an unsigned legacy kernel ...
Patches are welcome ;-)
bye,
Heiko
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
More information about the U-Boot
mailing list