[U-Boot] [verified-boot] Multiple levels of signing keys

[Teddy Reed]

Hello all,

I'm looking to support "multiple levels" of keys within u-boot's
verified boot. I need something similar to UEFI's key enrollment key
(KEK) and db/dbx model such that I can support on-line signing of new
kernels/rootfs/configurations.

To make this work we need a KEK that is not online (kept in a safe),
that can be used to sign expirations (revocations) of on-line signing
keys in the case of compromise or private key reveals. I know Chrome's
Coreboot verified boot model supports this, wondering if there's any
staged / WIP for u-boot?

Off the top of my head I'd imagine this requires extending the FIT to
include sets of public keys and a blacklist of keys and expired or bad
kernel/rootfs/etc hashes. Then either extending the boot code to
inspect multiple FITs or extending mkimage to combine multiple sources
to amalgamate a FIT containing the PK-signed set of keys + hashes and
the on-line key-signed kernels/rootfs/configurations.

P.S. This may be strongly linked to the need for a TPM to prevent
rollbacks. But as far as I can tell, the two features are distinct and
a TPM is not completely required for a multi-level key approach to
signing FITs.

Thanks!
-- 
Teddy Reed V