[U-Boot] booting signed Images

[Simon Glass]

Hi Heiko,

On 7 May 2014 01:06, Heiko Schocher <hs at denx.de> wrote:

> Hello Simon,
>
> Am 05.05.2014 20:31, schrieb Simon Glass:
>
>  Hi Wolfgang,
>>
>> On 5 May 2014 11:55, Wolfgang Denk<wd at denx.de>  wrote:
>>
>>> Dear Simon,
>>>
>>> In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm
>>> 98LF96PLfu-g at mail.gmail.com>  you wrote:
>>>
>>>>
>>>>  Should we not prevent booting uImages or not signed FIT Images when
>>>>> CONFIG_FIT_SIGNATURE is defined?
>>>>> Or at least prevent booting such unsigned images through an U-Boot
>>>>> env variable.
>>>>>
>>>>> What Do you think?
>>>>>
>>>>
>>>> There is a 'required' property in the public keys which is intended to
>>>> support this. If you mark a key as 'required then it will need to be
>>>> verified by any image that is loaded. There is a test for this case,
>>>> but it may not be comprehensive.
>>>>
>>>
>>> But what about legacy uImage files?  It appears nothing would stop
>>> booting one of those?
>>>
>>
>> That's right, there is nothing to stop that at present. The
>> verification happens either on each image (for per-image signing) or
>> on the selected configuration as a whole (in fit_image_load() when it
>> sees the kernel being loaded).
>>
>> One simple solution might be to check a CONFIG option in
>> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
>>
>
> The question is here, do we introduce a new config option for this,
> or do we use for example CONFIG_FIT_SIGNATURE to disable it?
>
> I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY
> complete.
>

I suggest a new CONFIG option, like CONFIG_DISABLE_IMAGE_FORMAT_LEGACY or
possible a device tree option, since if you force disable of the legacy
format you are actually removing functionality. At present
CONFIG_FIT_SIGNATURE is a capability, and one capability should not
normally preclude another.

Regards,
Simon