[U-Boot] Verified Boot: Mix and match attack

Johann Neuhauser jneuhauser at dh-electronics.de
Mon Jul 30 09:52:37 UTC 2018


Hello developers,

I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt".
That's why, as in doc/uImage.FIT/signed-configs.its, I have only implemented signed configurations and no signed images.
My public key in my embedded fdt has the property required = "conf";.

Booting a signed config with "bootm ${loadaddr}#conf at 1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on.
If I boot any fit image(signed and unsigned) with "bootm ${loadaddr}:kernel at 1 - fdt at 1" to select the subimages directly, I could boot every image combination without signature verification.

Is this the expected behavior?

I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot configurations and no subimages directly...

Regards
Johann Neuhauser


More information about the U-Boot mailing list