U-Boot FIT Signature Verification

Heinrich Schuchardt xypron.glpk at gmx.de
Wed Sep 16 14:44:45 CEST 2020 

On 16.09.20 14:05, Joakim Tjernlund wrote:
> On Wed, 2020-09-16 at 13:55 +0200, Heinrich Schuchardt wrote:
>> On 16.09.20 13:40, Joakim Tjernlund wrote:
>>> On Wed, 2020-09-16 at 13:14 +0200, Heinrich Schuchardt wrote:
>>>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>>
>>>>
>>>> On 16.09.20 10:13, AKASHI Takahiro wrote:
>>>>> On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
>>>>>> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
>>>>>>> Hi there,
>>>>>>>
>>>>>>>     Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Andy
>>>>>>>
>>>>>>
>>>>>> Hello Philippe,
>>>>>>
>>>>>> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
>>>>>> find a comparison of the date on which an image was signed with the
>>>>>> expiry date of the certificate. Shouldn't there be a check? Or did I
>>>>>> simply look into the wrong function?
>>>>>
>>>>> I think Simon is the right person to answer this question, but
>>>>>
>>>>> as far as I know, we don't have any device tree property for the expiration
>>>>> date of a public key. See doc/uImage.FIT/signature.txt.
>>>>
>>>> Yes, the problem starts with mkimage not writing the dates available in
>>>> the X509 certificate into the device tree.
>>>>
>>>> The dates are accessible via the X509_get0_notBefore() and
>>>> X509_get0_notAfter() functions of the OpenSSL library.
>>>>
>>>>
>>>> Takahiro, could you, please, also look at the UEFI secure boot
>>>> implementation in U-Boot. EDK2 validates the dates via the embedded
>>>> OpenSSL library in
>>>> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function
>>>> verify_chain(). We should not do less.
>>>
>>> Does that mean that verified boot stops/fails when the date expires ?
>>> How do you guarantee that the device has the correct time ?
>>>
>>>    Jocke
>>>
>>
>> We talking of the validity time range of the public key and the date of
>> signature of the intermediate certificates and the loaded image. No RTC
>
> OK, but still: will an invalid time range then stop booting ?
>
>

If you use a certificate that is valid until 2019 to sign an image or an
intermediate certificate in 2020, the image must not be loaded.

Best regards

Heinrich

More information about the U-Boot mailing list