[U-Boot] verified boot against a chain of public keys
wpdster at gmail.com
Mon Aug 12 12:01:09 UTC 2019
I am about to embark on the task of adding support for importing and
using multiple keys in the verified boot process. Does u-boot already
support this? Has anybody (else) thought about it?
Basically, I would like to add the ability to import a public key into
u-boot, which must be signed by the (one of) the existing key(s), and
use that key to validate the image that I want to boot (or additional
keys I would like to import). In essence, I would like to add a
signature chain to u-boot that can be loaded at runtime.
I am about to dive into the code and see if I think this is a good or
bad idea from the perspective of the code, but, in parallel, I thought
I should ask for some perspective from the community.
It seems to me that I could package up the key to be imported into a
.dts file, sign that using mkimage, and "boot" it into u-boot with the
"bootm" command. (I would prefer to use a "loadkey" command, just to
make things clear.). It seems like most of the machinery I need should
already be there.
It also seems like it should be pretty easy to teach u-boot to support
having multiple keys in memory (using the key-name-hint), and, in
fact, that capability may already be there. (I'll know shortly after
I start digging further into the code).
Anyway, back to the opening paragraph... Does u-boot already support
anything like this? Do folks think this is a good idea? a bad idea?
a difficult idea? an easy idea?
More information about the U-Boot