[U-Boot] secure embedded linux system

Wolfgang Denk wd at denx.de
Fri May 30 14:10:44 CEST 2014


Dear Mahendra,

In message <BAY176-W29A41E1225FE7E1D2479B890270 at phx.gbl> you wrote:
> 
> thanks for replying..I think , if I encrypt entire rootfs , and
> embedded decryption key in uboot (at the time of compiling uboot)..it
> can be protected ...what is your suggestion..?I have never work with
> uboot..so that I need help to embedded decryption key to uboot to
> load encrypted rootfs..best

As I can read your U-Boot image on that hardware, I can also read
your key, and then probably use it.

Security is not so easy to implement.  If an attacker can get physical
access, you must make sure he cannot access your keys anyway.  Usually
this gets addresses in hardware - like TPM chips (where you cannot
read the keys), or processors that support protected / encrypted boot
modes.  If your SOC does not have any such options, and neither does
your board, then you lose.

Viele Grüße,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Every program has at least one bug and can be shortened by  at  least
one instruction - from which, by induction, one can deduce that every
program can be reduced to one instruction which doesn't work.


More information about the U-Boot mailing list