[U-Boot] u-boot legacy/FIT/FIT+signature compatability

[Simon Glass]

Hi Troy,

On 8 February 2016 at 08:46, Troy Benjegerdes <hozer at hozed.org> wrote:
> so I'm tracing through stuff on an am3517-evm board, and finding that with
> a FIT image file that works without signature checking compiled in, when
> I turn on sig checking, if it doesn't find a signature I just get a data
> abort, *and* the resulting u-boot doesn't recognize old 'legacy' boot
> images anymore either.
>
>
> I get the point that if you have signatures on, you may not want to hand
> over keys to decrypt secure filesystems if you try to boot an unsigned
> image, but I think the fallbacks and backwards compatability could be
> developed a little better, especially since why now that I have CONFIG_FIT
> I now can't seem to load a legacy image.

This would be a security hole - but you can turn off
CONFIG_DISABLE_IMAGE_LEGACY if you want to do that.

The data abort sounds like something to investigate. If you have the
PC address it might give you a clue as to what is going wrong.

There is a pretty detailed guide in beaglebone_vboot.txt.

>
>
> --
> ----------------------------------------------------------------------------
> Troy Benjegerdes                 'da hozer'                  hozer at hozed.org
> 7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop
>
>       Never pick a fight with someone who buys ink by the barrel,
>          nor try buy a hacker who makes money by the megahash
>

Regards,
Simon