[U-Boot] Verified boot of images without signatures

Wed Jun 12 18:10:07 UTC 2019

On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster at gmail.com> wrote:
>
> I am looking at enabling verified boot in the v2019.04-rc4 tag of
> u-boot.  I was pleased when I learned how to embed the public
> authentication key in my u-boot device tree, sign my kernel using my
> private authentication key, and see u-boot validate the signature on
> boot.
>
> But then I was very surprised to learn that I could still boot an
> unsigned image.  So I started looking at the code and I found
> `fit_image_verify_with_data() in "common/image_fit.c", which does:
>
>     if (IMAGE_ENABLE_VERIFY &&
>         fit_image_verify_required_sigs(fit, image_noffset, data, size,
>                        gd_fdt_blob(), &verify_all)) {
>         err_msg = "Unable to verify required signature";
>         goto error;
>     }
>
>     /* Process all hash subnodes of the component image node */
>     fdt_for_each_subnode(noffset, fit, image_noffset) {
>         const char *name = fit_get_name(fit, noffset, NULL);
>
>         /*
>          * Check subnode name, must be equal to "hash".
>          * Multiple hash nodes require unique unit node
>          * names, e.g. hash-1, hash-2, etc.
>          */
>         if (!strncmp(name, FIT_HASH_NODENAME,
>                  strlen(FIT_HASH_NODENAME))) {
>             if (fit_image_check_hash(fit, noffset, data, size,
>                          &err_msg))
>                 goto error;
>             puts("+ ");
>         } else if (IMAGE_ENABLE_VERIFY && verify_all &&
>                 !strncmp(name, FIT_SIG_NODENAME,
>                     strlen(FIT_SIG_NODENAME))) {
>             ret = fit_image_check_sig(fit, noffset, data,
>                             size, -1, &err_msg);
>
>             /*
>              * Show an indication on failure, but do not return
>              * an error. Only keys marked 'required' can cause
>              * an image validation failure. See the call to
>              * fit_image_verify_required_sigs() above.
>              */
>             if (ret)
>                 puts("- ");
>             else
>                 puts("+ ");
>         }
>     }
>
> I see that if I create a "required" property in my signature block,
> then u-boot will require that the signature match.  But if I don't
> have that, then it will happily boot an unsigned image (or even one
> that doesn't have any signature blocks).
>
> Am I missing something here?
>

Probably... I went round a very similar loop too. You need the
required property in the U-Boot DTB, not in the image you're booting.
And if you're trying to do this for SPL loading U-Boot you need
CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
image support.

-- 
Alex Kiernan