Sourcing a signed boot script

Diego Rondini diego.rondini at kynetics.com
Fri Dec 6 15:47:10 CET 2019


Hi Lukasz,

On Thu, Dec 5, 2019 at 11:14 PM Lukasz Majewski <lukma at denx.de> wrote:
>
> Hi Diego,
>
> > Hi,
> >
> > I would like to ask if it is possible to source a script after
> > verifying its signature.
> >
> > Currently I've been able to source a script from a signed FIT image,
> > before doing "bootm", with:
> > source <addr>:<name>
> > But this way the signature is not checked yet, so the script cannot
> > be trusted.
> >
> > According to the docs[1] it seems that it's not possible yet to verify
> > a FIT image signature without also booting the corresponding image. Is
> > that right?
>
> You can look into the "spl" command, which does the FIT parsing (to
> prepare data for falcon mode booting).
>
> You may want to re-use such "dry-run" feature to verify the signature,
> extract the script and use it.
>
> (And yes, I don't think that checking the signature for script works
> out of the box).
>

I will have a look at your suggestion and report back the outcome!

Thanks again,
Diego Rondini


More information about the U-Boot mailing list