[U-Boot] Force check of RSA-Signature
Ulf Bartel
ulf.bartel at scansonic.de
Wed Sep 3 17:12:02 CEST 2014
Hello.
We are currently testing U-Boot on a PPC. Beside booting the system we like to use it do some system updates (e.g. Kernel, FDT and Initrd). I've compiled U-Boot with support for AES and RSA-Signatures. We are storing the RSA public keys using a Fit-Image for U-Boot configuration on Flash. Basically both AES and RSA support works as expected,
but:
1) is there a possibility to always be sure that accessing an image from a Fit-container checks the signature?
If the signature is wrong, we get an error as expected. But if we generate an image without any signature (which may be generated by anybody) the access is of course possible. Currently I used something like
fdt get value algorithm /images/script at 1/signature at 1/ algo &&
test "$algorithm" = "sha1,rsa2048" && echo success
to check if the image has a signature before proceeding. But this feels wrong.
2) Is there a possibility to check the signature/CRC before copying the image to ram with imxtract?
P.s. great project. I'm really impressed by its features!
Thanks in advance,
Ulf
More information about the U-Boot
mailing list