[U-Boot] [swupdate] Re: SWUpdate - U-Boot environment library dependency

Wolfgang Denk wd at denx.de
Wed Nov 21 12:22:38 UTC 2018


Dear Simon,

In message <CAAh8qszhQARksHGQkUMk_QEyA8j6s7p_gnNCGQbZfAi_SK0W5A at mail.gmail.com> you wrote:
> >
> > Right, when we sign (and check the signatures) of all other images,
> > then why not do the very same for some environment image?
>
> You normally cannot sign the environment in the target when saving it
> when using private/public keys.

You mix things here.  I was never talking about the currently used
(and modified) envrionment "when saving it".

Discussion was about the default environment, and I suggested to
replace this with a (signed) image used to initialize the normal
environment.  ther ehas never been a request or suggestion to create
this signature on the target - do it in the very same way as you
sign all other images for the system.

> We are using a signed U-Boot image that apart from the default
> environment only needs to load MAC addresses. I cannot do this via a
> loaded environment (signed or unsigned) as the MAC addresses are
> stored in production and I cannot rely on production always having an
> up-to-date environment to embed their MAC addresses when programming.

Yes you can.  If you like, you can have the U-Boot image and the
environment image separate and signed separately,  or you can create
some form of metaimage (say, as FIT) with individual signatures, or
you can simly concatelante both and use a common signature.  There
is a zillion of ways to do it.

> To use environment loading here, I would have to implement a whitelist
> that only loads the MAC addresses from the saved environment. That
> sounds a bit hacked, too.

Why are you making things so complicated?  You can always do just
"env import ethaddr".  No need to imeplement enything.

> So when it comes to secure boot, I do think there's a use case for not
> loading an environment.

But you are loading it in any case.  Whether from a binary object
placed by the linker somewhwere in your data segment or from a
[signed or at least checksummed] image somewhere else does not make
any difference security-wise.  It is only a minimal technical
difference, i. e. using a different loading mechanism.

> I don't currently mind how this environment is
> initialized. And maybe I don't yet get what you are talking about when
> trying to get rid of the default environment. I do need U-Boot to run
> with a predefined environment without loading it.

See my previous explantion about the 3 copies of the environment.
All I suggest is to replace the binary blob by somethin gthat is not
statically linked into the U-Boot image, so it can be shared for
example with the fw_env tools.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Philosophy is a game with objectives and no rules.
Mathematics is a game with rules and no objectives.


More information about the U-Boot mailing list