[U-Boot] [swupdate] Re: SWUpdate - U-Boot environment library dependency
Simon Goldschmidt
simon.k.r.goldschmidt at gmail.com
Wed Nov 21 11:56:54 UTC 2018
On Wed, Nov 21, 2018 at 12:45 PM Wolfgang Denk <wd at denx.de> wrote:
>
> Dear Stefano,
>
> In message <9efc8990-118c-d5b9-802d-8190db2326d3 at denx.de> you wrote:
> >
> > True, but this has side effect and limitation. You cannot change a
> > variable in the deafult environment if you need it because you do not
> > know it. If some changes are needed, even if for very small things like
> > activating a gpio before ooting, you need to update the bootloader.
>
> Just my words. (Mis) using the default environment for such
> purposes is broken by design.
>
> Let's get rid of this!
>
> > Moving to shared library should be done in U-Boot project, then. Some
> > changes are then required, at least how the environment is locked (it is
> > not clean as it is done now - locking should be done by the library and
> > not by the caller).
>
> Speaking of security... shared libraries open a number of new
> attack vectors, too...
>
> > > In a secure boot environment, you cannot allow to load the environment
> > > from an untrusted source. We need a default environment in this case.
> >
> > Or you make that changes are trusted.
>
> Right, when we sign (and check the signatures) of all other images,
> then why not do the very same for some environment image?
You normally cannot sign the environment in the target when saving it
when using private/public keys.
We are using a signed U-Boot image that apart from the default
environment only needs to load MAC addresses. I cannot do this via a
loaded environment (signed or unsigned) as the MAC addresses are
stored in production and I cannot rely on production always having an
up-to-date environment to embed their MAC addresses when programming.
To use environment loading here, I would have to implement a whitelist
that only loads the MAC addresses from the saved environment. That
sounds a bit hacked, too.
So when it comes to secure boot, I do think there's a use case for not
loading an environment. I don't currently mind how this environment is
initialized. And maybe I don't yet get what you are talking about when
trying to get rid of the default environment. I do need U-Boot to run
with a predefined environment without loading it.
Regards,
Simon
>
> That would even be _better_ as currently there is no, absolutely no
> check if the builtin default environment is in any way consistent.
More information about the U-Boot
mailing list