[U-Boot] Verified boot production uses question

Teddy Reed teddy.reed at gmail.com
Thu Jun 7 19:53:53 UTC 2018 

On Thu, Jun 7, 2018 at 3:45 PM, Sam Voss <sam.voss at rockwellcollins.com> wrote:
> Teddy,
>
> On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed <teddy.reed at gmail.com> wrote:
>>
>> Hi all, question, is anyone using the U-Boot verified-boot in production?
>
> I have been digging into this lately as well, and actually noticed a
> few other things on top of what you are seeing, mentioned below. I
> don't want to derail this email thread too much, but there is another
> patch working on signature-key fallback sequencing as well (which
> claims to be supported).

No worries, any/all attention on the verified-boot implementation is great!

>
>> I am using configuration verification for several OpenCompute/OpenBMC
>> boards. After a deep-dive review I found some edge cases that in rare
>> circumstances could lead to a signature check bypass.
>
> Slightly related: if you use two fit images to boot it seems that the
> second will never be verified. Once the first is deemed OK it just
> lets the boot happen.

Good find, this sounds like a limitation of the signature checking.
But this can be dangerous if you expected the secondary FIT to be
checked. I hope no one is using this scenario for production boards.

Curious if your planned patch is also addressing this limitation?

>
>> I think this is
>> low-risk at best since the scenario requires special hardware behavior
>> to exist. Our board were susceptible in the general sense, but we had
>> implemented some additional sanity checks on the FIT structures that
>> prevented this.
>>
>> There are some proposed changes that attempt to mitigate this [1],
>> [2], [3]. Any one of these changes mitigates the bypass scenario. If
>> you don't mind reaching out to me I can share the exact
>> situation/details.
>>
>> [1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
>> [2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html
>> [3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html
>>
>> Thanks,
>> -Teddy
>
> Thanks,
>
> Sam

Thanks,
-Teddy

More information about the U-Boot mailing list