[U-Boot] [verified-boot] Multiple levels of signing keys

[Simon Glass]

Hi Teddy,

On 27 April 2016 at 11:32, Teddy Reed <teddy.reed at gmail.com> wrote:
> Hello all,
>
> I'm looking to support "multiple levels" of keys within u-boot's
> verified boot. I need something similar to UEFI's key enrollment key
> (KEK) and db/dbx model such that I can support on-line signing of new
> kernels/rootfs/configurations.
>
> To make this work we need a KEK that is not online (kept in a safe),
> that can be used to sign expirations (revocations) of on-line signing
> keys in the case of compromise or private key reveals. I know Chrome's
> Coreboot verified boot model supports this, wondering if there's any
> staged / WIP for u-boot?
>
> Off the top of my head I'd imagine this requires extending the FIT to
> include sets of public keys and a blacklist of keys and expired or bad
> kernel/rootfs/etc hashes. Then either extending the boot code to
> inspect multiple FITs or extending mkimage to combine multiple sources
> to amalgamate a FIT containing the PK-signed set of keys + hashes and
> the on-line key-signed kernels/rootfs/configurations.
>
> P.S. This may be strongly linked to the need for a TPM to prevent
> rollbacks. But as far as I can tell, the two features are distinct and
> a TPM is not completely required for a multi-level key approach to
> signing FITs.

I don't know of anything in this area. Of course it is fairly easy to
add new information to the FIT format, and mkimage is in somewhat
better shape for modifying these days. If you do this, please do
update fit_checksign.c to check an image.

Regards,
Simon