[U-Boot] Verified boot of images without signatures
Patrick Doyle
wpdster at gmail.com
Wed Jun 12 14:54:01 UTC 2019
I am looking at enabling verified boot in the v2019.04-rc4 tag of
u-boot. I was pleased when I learned how to embed the public
authentication key in my u-boot device tree, sign my kernel using my
private authentication key, and see u-boot validate the signature on
boot.
But then I was very surprised to learn that I could still boot an
unsigned image. So I started looking at the code and I found
`fit_image_verify_with_data() in "common/image_fit.c", which does:
if (IMAGE_ENABLE_VERIFY &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
gd_fdt_blob(), &verify_all)) {
err_msg = "Unable to verify required signature";
goto error;
}
/* Process all hash subnodes of the component image node */
fdt_for_each_subnode(noffset, fit, image_noffset) {
const char *name = fit_get_name(fit, noffset, NULL);
/*
* Check subnode name, must be equal to "hash".
* Multiple hash nodes require unique unit node
* names, e.g. hash-1, hash-2, etc.
*/
if (!strncmp(name, FIT_HASH_NODENAME,
strlen(FIT_HASH_NODENAME))) {
if (fit_image_check_hash(fit, noffset, data, size,
&err_msg))
goto error;
puts("+ ");
} else if (IMAGE_ENABLE_VERIFY && verify_all &&
!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_check_sig(fit, noffset, data,
size, -1, &err_msg);
/*
* Show an indication on failure, but do not return
* an error. Only keys marked 'required' can cause
* an image validation failure. See the call to
* fit_image_verify_required_sigs() above.
*/
if (ret)
puts("- ");
else
puts("+ ");
}
}
I see that if I create a "required" property in my signature block,
then u-boot will require that the signature match. But if I don't
have that, then it will happily boot an unsigned image (or even one
that doesn't have any signature blocks).
Am I missing something here?
Has this been improved/addressed since v2019.04-rc4?
If the answers are "No" and "No", then I will go in and address it
myself. I welcome any tips folks might care to give me in advance of
me just submitting a patch to address this.
--wpd
More information about the U-Boot
mailing list