[U-Boot] U-Boot: Verified Boot: signed configuration and mix and match attack
Johann Neuhauser
jneuhauser at dh-electronics.de
Tue Jul 31 08:22:35 UTC 2018
Dear U-Boot devs,
I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt".
That's why I have only implemented signed configurations and no signed images as in doc/uImage.FIT/signed-configs.its.
My public key in my embedded fdt has the property required = "conf";
Booting a signed config with "bootm ${loadaddr}#conf at 1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on.
If I boot any fit image(signed and unsigned) for example with "bootm ${loadaddr}:kernel at 1 - fdt at 1" to select the subimages directly, I could boot every image combination without signature verification although a signature is enforced for a configuration.
Is this the expected behavior?
I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot signed configurations and no subimages directly...
Best regards
Johann Neuhauser
DH electronics GmbH
More information about the U-Boot
mailing list