[U-Boot] Verified boot and Legacy Kernel Images
Simon Glass
sjg at chromium.org
Fri Sep 5 23:54:34 CEST 2014
Hi,
On 6 May 2014 00:38, Heiko Schocher <hs at denx.de> wrote:
> Hello Mike,
>
> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>
>> Please help as I am confused.
>>
>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>> works fine with FIT images. However it still boots the resident legacy
>> kernal that has not been signed.
>>
>> This means that anyone wishing to circumvent the signed hash can do so by
>> replacing the image file with a legacy one. That makes for a security hole
>> and so I must have done something wrong.
>
>
> No, you did nothing wrong ...
>
>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>> statement provides this behaviour -
>>
>> case IMAGE_FORMAT_LEGACY:
>> cool, its a go from me. Verify using an unsigned hash.
>> break;
>> #if defined(CONFIG_FIT)
>> case IMAGE_FORMAT_FIT:
>> do the signed hash checks when loading the image.
>> break;
>>
>> What I cannot find in the code is anything that I can compile in to
>> prevent
>> an unsigned legacy kernel from booting. The defines I already used include
>>
>> #define CONFIG_OF_LIBFDT
>> #define CONFIG_CMD_HASH
>> #define CONFIG_HASH_VERIFY
>> #define CONFIG_FIT_SIGNATURE
>> #define CONFIG_RSA
>
>
> See this thread:
>
> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>
> in particular Simons statement:
> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>
> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>
> Patches are welcome ;-)
To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
merged in May. The new default behaviour is to disable legacy format
unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
problem.
Note also the -r flag to mkimage which marks a key as 'required to be verified'
Regards,
Simon
More information about the U-Boot
mailing list