[U-Boot] [swupdate] Re: SWUpdate - U-Boot environment library dependency

Stefano Babic sbabic at denx.de
Wed Nov 21 15:01:41 UTC 2018 

On 21/11/18 15:37, Simon Goldschmidt wrote:
> 
> 
> Am Mi., 21. Nov. 2018, 15:27 hat Wolfgang Denk <wd at denx.de
> <mailto:wd at denx.de>> geschrieben:
> 
>     Dear Stefano,
> 
>     In message <7089ef62-ed0f-87f4-e979-8c18a6ae4b62 at denx.de
>     <mailto:7089ef62-ed0f-87f4-e979-8c18a6ae4b62 at denx.de>> you wrote:
>     >
>     > > Right, when we sign (and check the signatures) of all other images,
>     > > then why not do the very same for some environment image?
>     >
>     > The weird thing is with "saveenv" - if we just read the env, it is
>     fine,
>     > but if we want to change it, we need to sign, and this requires a
>     > private key on target.
> 
>     Agreed, but this is a totaly different issue.
> 
>     The separate (potentially singed0 environment image is only the
>     replacement for the current "default environment", which is not
>     used for "env save".  In the same way, there is no need to modfy the
>     signed image.
> 
>     But yes, it might be desirable to protect the working environment
>     against malicious manipulation - but this should be discussed in a
>     separate thread.
> 
>     > > That would even be _better_ as currently there is no, absolutely no
>     > > check if the builtin default environment is in any way consistent.
>     >
>     > This is not true. If the environment is linked to u-boot, it is signed
>     > together with u-boot and its consistency is automatically verified.
> 
>     Only if you use signed images.  With plain U-Boot, there is not even
>     a checksum for it...
> 
> 
> When SPL loads U-Boot from a legacy image, isn't there a CRC involved
> over the full image including the environment?

I think Marek is talking about raw u-boot, not in case mkimage has put
an header at the beginning. See CONFIG_SPL_RAW_IMAGE_SUPPORT and
spl_parse_image_header(). The image is simply loaded without checks.

Best regards,
Stefano


-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================

More information about the U-Boot mailing list