[U-Boot] U-boot FIT Signature
Markus Valentin
mv at denx.de
Mon Feb 20 09:49:39 UTC 2017
Hi,
On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote:
> How would you verify that the public key hasn't been tampered with?
>
> On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electronica at cojali.com>
> wrote:
>
> >
> > Good morning,
> >
> > I am working with FIT image in U-Boot 2013.07. I have configured the image
> > verification with signed image and kernel boots fine so, I would like to
> > know if I can store my public key in an external device (like crypto-memory
> > or an i2c device) because I am storing the key in DBT with the
> > CONFIG_OF_CONTROL configuration.
Imho is perfectly fine to store the public key in the u-boot.dtb for most
needs(specially for using it with fit-images). Do you have a specific reason
for wanting to store it elsewhere?
> > The aim of this is that U-Boot should check the i2c address of my
> > external device, read the public key and verify the signed image later.
> > I work with am335x board and Kernel 3.14.
As Rick suggests you should verify your public key with a checksum which is
somehow protected from being tampered. In the most cases there is some OTP-
Fuse-Register that can do the job.
best regards
Markus
More information about the U-Boot
mailing list