[U-Boot] Verified boot and Legacy Kernel Images

mike mike at kaew.be
Sun Sep 7 17:27:37 CEST 2014 

Hi Simon,

Thanks and to Heiko also.

Mike
On 09/05/2014 11:54 PM, Simon Glass wrote:
> Hi,
>
> On 6 May 2014 00:38, Heiko Schocher <hs at denx.de> wrote:
>> Hello Mike,
>>
>> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>> Please help as I am confused.
>>>
>>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>>> works fine with FIT images. However it still boots the resident legacy
>>> kernal that has not been signed.
>>>
>>> This means that anyone wishing to circumvent the signed hash can do so by
>>> replacing the image file with a legacy one. That makes for a security hole
>>> and so I must have done something wrong.
>>
>> No, you did nothing wrong ...
>>
>>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>>> statement provides this behaviour -
>>>
>>>    case IMAGE_FORMAT_LEGACY:
>>>           cool, its a go from me. Verify using an unsigned hash.
>>>           break;
>>> #if defined(CONFIG_FIT)
>>>     case IMAGE_FORMAT_FIT:
>>>           do the signed hash checks when loading the image.
>>>           break;
>>>
>>> What I cannot find in the code is anything that I can compile in to
>>> prevent
>>> an unsigned legacy kernel from booting. The defines I already used include
>>>
>>>     #define CONFIG_OF_LIBFDT
>>>     #define CONFIG_CMD_HASH
>>>     #define CONFIG_HASH_VERIFY
>>>     #define CONFIG_FIT_SIGNATURE
>>>     #define CONFIG_RSA
>>
>> See this thread:
>>
>> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>>
>> in particular Simons statement:
>> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>>
>> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>>
>> Patches are welcome ;-)
> To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
> merged in May. The new default behaviour is to disable legacy format
> unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
> problem.
>
> Note also the -r flag to mkimage which marks a key as 'required to be verified'
>
> Regards,
> Simon
>

More information about the U-Boot mailing list