[PATCH v3] spl: allow board_spl_fit_post_load() to fail

Stefano Babic sbabic at denx.de
Thu Jul 23 08:45:11 CEST 2020

Hi Patrick,

On 22.07.20 23:20, Patrick Wildt wrote:
> On Fri, Jun 05, 2020 at 03:54:14PM -0400, Tom Rini wrote:
>> On Mon, Jun 01, 2020 at 12:08:45PM +0200, Marek Vasut wrote:
>>> On 6/1/20 4:30 AM, Peng Fan wrote:
>>>>> Subject: [PATCH v3] spl: allow board_spl_fit_post_load() to fail
>>>>> On i.MX platforms board_spl_fit_post_load() can check the loaded SPL image
>>>>> for authenticity using its HAB engine.  U-Boot's SPL mechanism allows
>>>>> booting images from other sources as well, but in the current setup the SPL
>>>>> would just hang if it encounters an image that does not pass scrutiny.
>>>> security.
>>>>> Allowing the function to return an error, allows the SPL to try booting from
>>>>> another source as a fallback instead of ending up as a brick.
>>>> This will break secure boot chain.
>>> How? Please elaborate.
>>> jump_to_image_no_args() will authenticate the image before starting it,
>>> so I don't think so. However, that is still prone to
>>> time-of-check/time-of-use attack anyway.
>> Yes, please elaborate, thanks!
> Ping?  How will this break the secure boot chain?

To be honest: I had merged this one (after the discussion with Marek and 
his patch calling panic()), but I worried if there is a hidden reason to 
break secure boot. I do not know the reason, I am curious, too, which is 
the reason because I will see this patch in (this helps to provide a 
safe update of bootloader).

Best regards,

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de

More information about the U-Boot mailing list