[U-Boot] Verified boot of images without signatures

Patrick Doyle wpdster at gmail.com
Wed Jun 12 14:54:01 UTC 2019 

I am looking at enabling verified boot in the v2019.04-rc4 tag of
u-boot.  I was pleased when I learned how to embed the public
authentication key in my u-boot device tree, sign my kernel using my
private authentication key, and see u-boot validate the signature on
boot.

But then I was very surprised to learn that I could still boot an
unsigned image.  So I started looking at the code and I found
`fit_image_verify_with_data() in "common/image_fit.c", which does:

    if (IMAGE_ENABLE_VERIFY &&
        fit_image_verify_required_sigs(fit, image_noffset, data, size,
                       gd_fdt_blob(), &verify_all)) {
        err_msg = "Unable to verify required signature";
        goto error;
    }

    /* Process all hash subnodes of the component image node */
    fdt_for_each_subnode(noffset, fit, image_noffset) {
        const char *name = fit_get_name(fit, noffset, NULL);

        /*
         * Check subnode name, must be equal to "hash".
         * Multiple hash nodes require unique unit node
         * names, e.g. hash-1, hash-2, etc.
         */
        if (!strncmp(name, FIT_HASH_NODENAME,
                 strlen(FIT_HASH_NODENAME))) {
            if (fit_image_check_hash(fit, noffset, data, size,
                         &err_msg))
                goto error;
            puts("+ ");
        } else if (IMAGE_ENABLE_VERIFY && verify_all &&
                !strncmp(name, FIT_SIG_NODENAME,
                    strlen(FIT_SIG_NODENAME))) {
            ret = fit_image_check_sig(fit, noffset, data,
                            size, -1, &err_msg);

            /*
             * Show an indication on failure, but do not return
             * an error. Only keys marked 'required' can cause
             * an image validation failure. See the call to
             * fit_image_verify_required_sigs() above.
             */
            if (ret)
                puts("- ");
            else
                puts("+ ");
        }
    }

I see that if I create a "required" property in my signature block,
then u-boot will require that the signature match.  But if I don't
have that, then it will happily boot an unsigned image (or even one
that doesn't have any signature blocks).

Am I missing something here?

Has this been improved/addressed since v2019.04-rc4?

If the answers are "No" and "No", then I will go in and address it
myself.  I welcome any tips folks might care to give me in advance of
me just submitting a patch to address this.

--wpd

More information about the U-Boot mailing list