[U-Boot] Verified boot production uses question
Sam Voss
sam.voss at rockwellcollins.com
Thu Jun 7 19:45:03 UTC 2018
Teddy,
On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed <teddy.reed at gmail.com> wrote:
>
> Hi all, question, is anyone using the U-Boot verified-boot in production?
I have been digging into this lately as well, and actually noticed a
few other things on top of what you are seeing, mentioned below. I
don't want to derail this email thread too much, but there is another
patch working on signature-key fallback sequencing as well (which
claims to be supported).
> I am using configuration verification for several OpenCompute/OpenBMC
> boards. After a deep-dive review I found some edge cases that in rare
> circumstances could lead to a signature check bypass.
Slightly related: if you use two fit images to boot it seems that the
second will never be verified. Once the first is deemed OK it just
lets the boot happen.
> I think this is
> low-risk at best since the scenario requires special hardware behavior
> to exist. Our board were susceptible in the general sense, but we had
> implemented some additional sanity checks on the FIT structures that
> prevented this.
>
> There are some proposed changes that attempt to mitigate this [1],
> [2], [3]. Any one of these changes mitigates the bypass scenario. If
> you don't mind reaching out to me I can share the exact
> situation/details.
>
> [1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
> [2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html
> [3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html
>
> Thanks,
> -Teddy
Thanks,
Sam
More information about the U-Boot
mailing list