[U-Boot] Verified boot production uses question

Sam Voss sam.voss at rockwellcollins.com
Thu Jun 7 19:56:54 UTC 2018


Teddy, All,

>> On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed <teddy.reed at gmail.com> wrote:
>>>
>>> Hi all, question, is anyone using the U-Boot verified-boot in production?
>>
>> I have been digging into this lately as well, and actually noticed a
>> few other things on top of what you are seeing, mentioned below. I
>> don't want to derail this email thread too much, but there is another
>> patch working on signature-key fallback sequencing as well (which
>> claims to be supported).
>
> No worries, any/all attention on the verified-boot implementation is great!

I agree, its a pretty handy feature.

>>
>>> I am using configuration verification for several OpenCompute/OpenBMC
>>> boards. After a deep-dive review I found some edge cases that in rare
>>> circumstances could lead to a signature check bypass.
>>
>> Slightly related: if you use two fit images to boot it seems that the
>> second will never be verified. Once the first is deemed OK it just
>> lets the boot happen.
>
> Good find, this sounds like a limitation of the signature checking.
> But this can be dangerous if you expected the secondary FIT to be
> checked. I hope no one is using this scenario for production boards.
>
> Curious if your planned patch is also addressing this limitation?

The patch I have out right now only focuses on the fallback mechanism
mentioned earlier, I wasn't able to go into the details on this one as
it may have fallen out of our scope. I will likely drop an RFC at some
point to try to get the conversation moving, however.

Thanks,

Sam


More information about the U-Boot mailing list