[U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format
Tom Rini
trini at ti.com
Fri May 9 21:12:48 CEST 2014
On Fri, May 09, 2014 at 12:47:44PM -0600, Simon Glass wrote:
> Hi Wolfgang,
>
> On 9 May 2014 07:35, Wolfgang Denk <wd at denx.de> wrote:
> > Dear Simon,
> >
> > In message <CAPnjgZ1_Cf-eu592YqF0=th7MT1da6Gh7Pv1Lxaf79kV8Lw9OQ at mail.gmail.com> you wrote:
> >>
> >> I agree that it might be dangerous to allow legacy boot when signature
> >> verification is used. It would be nice to fix that.
> >
> > I think there is general agreement on this point.
> >
> >> This means that legacy is on by default, unless signature verification
> >> is enabled, in which case the default flips. But I worry that it might
> >> only confuse people. This seems like a Wolfgang / Tom question :-)
> >
> > OK, here is my 0.02€ to it:
> >
> > I think, no matter how we implement it, this should exactly the
> > behaviour. Average users tend to avoid reading documentation, so if
> > they enable signature verification the most likely want a secure
> > system, so we should give them just that. Only if someone really
> > knows what he is doing he should be able to enable support for
> > (insecure) legacy images.
> >
> > As for the implementation - yes, the
> > #ifdef CONFIG_FIT_SIGNATURE_VERIFICATION
> > approach indeed does not look very nice, but then, it appears to be
> > the straightforward implementation of what we want to do?
>
> OK, well in that case, let's do it that way.
Agreed, then we can look for clever ways to refactor the code after.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20140509/86af0d67/attachment.pgp>
More information about the U-Boot
mailing list