[U-Boot] Force check of RSA-Signature

Ulf Bartel ulf.bartel at scansonic.de
Wed Sep 3 17:12:02 CEST 2014


Hello.

We are currently testing U-Boot on a PPC. Beside booting the system we like to use it do some system updates (e.g. Kernel, FDT and Initrd). I've compiled U-Boot with support for AES and RSA-Signatures. We are storing the RSA public keys using a Fit-Image for U-Boot configuration on Flash. Basically both AES and RSA support works as expected,

but:

1) is there a possibility to always be sure that accessing an image from a Fit-container checks the signature?
If the signature is wrong, we get an error as expected. But if we generate an image without any signature (which may be generated by anybody) the access is of course possible. Currently I used something like

fdt get value algorithm /images/script at 1/signature at 1/ algo &&
test "$algorithm" = "sha1,rsa2048" && echo success   

to check if the image has a signature before proceeding. But this feels wrong.

2) Is there a possibility to check the signature/CRC before copying the image to ram with imxtract?

P.s. great project. I'm really impressed by its features!

Thanks in advance,
Ulf


More information about the U-Boot mailing list