[U-Boot] booting signed Images

Heiko Schocher hs at denx.de
Wed May 7 09:06:04 CEST 2014


Hello Simon,

Am 05.05.2014 20:31, schrieb Simon Glass:
> Hi Wolfgang,
>
> On 5 May 2014 11:55, Wolfgang Denk<wd at denx.de>  wrote:
>> Dear Simon,
>>
>> In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g at mail.gmail.com>  you wrote:
>>>
>>>> Should we not prevent booting uImages or not signed FIT Images when
>>>> CONFIG_FIT_SIGNATURE is defined?
>>>> Or at least prevent booting such unsigned images through an U-Boot
>>>> env variable.
>>>>
>>>> What Do you think?
>>>
>>> There is a 'required' property in the public keys which is intended to
>>> support this. If you mark a key as 'required then it will need to be
>>> verified by any image that is loaded. There is a test for this case,
>>> but it may not be comprehensive.
>>
>> But what about legacy uImage files?  It appears nothing would stop
>> booting one of those?
>
> That's right, there is nothing to stop that at present. The
> verification happens either on each image (for per-image signing) or
> on the selected configuration as a whole (in fit_image_load() when it
> sees the kernel being loaded).
>
> One simple solution might be to check a CONFIG option in
> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.

The question is here, do we introduce a new config option for this,
or do we use for example CONFIG_FIT_SIGNATURE to disable it?

I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY
complete.

bye,
Heiko
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


More information about the U-Boot mailing list