[U-Boot] U-Boot Security

Linder Pascal Pascal.Linder at edu.hefr.ch
Mon Apr 29 09:09:24 UTC 2019 

Hello everyone,


I have created the FIT to be loaded by the SPL and the keys for the signature.


Now, I am wondering how the signature is done by U-Boot? Is there an option in menuconfig that points to the key or is it me that has to do it manually? Also, I am wondering how to place the public key inside the U-Boot image?


Sincerely,


Pascal Linder

Student Telekommunikation Netzwerke und Sicherheit

Klasse T-3b

________________________________
Von: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
Gesendet: Samstag, 27. April 2019 21:12:03
An: Linder Pascal
Betreff: Re: AW: [U-Boot] U-Boot Security

Hello Pascal,

I can't help you much there, I can only tell you SPL -> U-Boot should be
the same as U-Boot -> FIT(Linux). I once tested this and it works, but
it's too long ago to remember. And your first mail suggested the latter
case (U-Boot -> FIT/Linux) already works for you...

Besides, please keep the discussion public (on the mailing list). There
are others who know this far better than me and might be able to help more.

Regards,
Simon

On 27.04.19 17:50, Linder Pascal wrote:
> Hello Simon, >
>
> Thanks for your response! Now, I am just wondering how the signature is done by U-Boot. Or is it me that must sign the images manually with mkimage?
>
>
> The key and certificate I have in a directory called keys inside U-Boot. Is there an option in KConfig to create the relation to this key?
>
>
> Summarized, I would like to know how to put the public key into my U-Boot image?
>
>
> Sincerely,
>
>
> Pascal Linder
>
> Student Telekommunikation Netzwerke und Sicherheit
>
> Klasse T-3b
>
> ________________________________
> Von: Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>
> Gesendet: Mittwoch, 24. April 2019 19:56:51
> An: Linder Pascal; u-boot at lists.denx.de
> Betreff: Re: [U-Boot] U-Boot Security
>
> Am 24.04.2019 um 15:55 schrieb Linder Pascal:
>> Hello everyone,
>>
>>
>> I want to add some supplementary security to my embedded system. The Flattened Image Tree (FIT) to secure the operating system and the device tree, I have already found. Now, I am wondering if I could also secure U-Boot itself before starting it by the Secondary Program Loader (SPL). Does anyone knows a method to do that?
>
> Just as U-Boot can load Kernel + DTS as FIT, SPL can load U-Boot as FIT.
> See CONFIG_SPL_LOAD_FIT. This FIT containing U-Boot + its DTS can then
> be verified, too.
>
> Regards,
> Simon
>

More information about the U-Boot mailing list