[U-Boot] Verified boot of images without signatures
Alex Kiernan
alex.kiernan at gmail.com
Wed Jun 12 18:10:07 UTC 2019
On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster at gmail.com> wrote:
>
> I am looking at enabling verified boot in the v2019.04-rc4 tag of
> u-boot. I was pleased when I learned how to embed the public
> authentication key in my u-boot device tree, sign my kernel using my
> private authentication key, and see u-boot validate the signature on
> boot.
>
> But then I was very surprised to learn that I could still boot an
> unsigned image. So I started looking at the code and I found
> `fit_image_verify_with_data() in "common/image_fit.c", which does:
>
> if (IMAGE_ENABLE_VERIFY &&
> fit_image_verify_required_sigs(fit, image_noffset, data, size,
> gd_fdt_blob(), &verify_all)) {
> err_msg = "Unable to verify required signature";
> goto error;
> }
>
> /* Process all hash subnodes of the component image node */
> fdt_for_each_subnode(noffset, fit, image_noffset) {
> const char *name = fit_get_name(fit, noffset, NULL);
>
> /*
> * Check subnode name, must be equal to "hash".
> * Multiple hash nodes require unique unit node
> * names, e.g. hash-1, hash-2, etc.
> */
> if (!strncmp(name, FIT_HASH_NODENAME,
> strlen(FIT_HASH_NODENAME))) {
> if (fit_image_check_hash(fit, noffset, data, size,
> &err_msg))
> goto error;
> puts("+ ");
> } else if (IMAGE_ENABLE_VERIFY && verify_all &&
> !strncmp(name, FIT_SIG_NODENAME,
> strlen(FIT_SIG_NODENAME))) {
> ret = fit_image_check_sig(fit, noffset, data,
> size, -1, &err_msg);
>
> /*
> * Show an indication on failure, but do not return
> * an error. Only keys marked 'required' can cause
> * an image validation failure. See the call to
> * fit_image_verify_required_sigs() above.
> */
> if (ret)
> puts("- ");
> else
> puts("+ ");
> }
> }
>
> I see that if I create a "required" property in my signature block,
> then u-boot will require that the signature match. But if I don't
> have that, then it will happily boot an unsigned image (or even one
> that doesn't have any signature blocks).
>
> Am I missing something here?
>
Probably... I went round a very similar loop too. You need the
required property in the U-Boot DTB, not in the image you're booting.
And if you're trying to do this for SPL loading U-Boot you need
CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
image support.
--
Alex Kiernan
More information about the U-Boot
mailing list