U-Boot FIT Signature Verification

Wed Sep 16 21:54:24 CEST 2020

On Wed, Sep 16, 2020 at 02:44:45PM +0200, Heinrich Schuchardt wrote:
> On 16.09.20 14:05, Joakim Tjernlund wrote:
> > On Wed, 2020-09-16 at 13:55 +0200, Heinrich Schuchardt wrote:
> >> On 16.09.20 13:40, Joakim Tjernlund wrote:
> >>> On Wed, 2020-09-16 at 13:14 +0200, Heinrich Schuchardt wrote:
> >>>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> >>>>
> >>>>
> >>>> On 16.09.20 10:13, AKASHI Takahiro wrote:
> >>>>> On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
> >>>>>> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
> >>>>>>> Hi there,
> >>>>>>>
> >>>>>>>     Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
> >>>>>>>
> >>>>>>> Cheers,
> >>>>>>> Andy
> >>>>>>>
> >>>>>>
> >>>>>> Hello Philippe,
> >>>>>>
> >>>>>> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> >>>>>> find a comparison of the date on which an image was signed with the
> >>>>>> expiry date of the certificate. Shouldn't there be a check? Or did I
> >>>>>> simply look into the wrong function?
> >>>>>
> >>>>> I think Simon is the right person to answer this question, but
> >>>>>
> >>>>> as far as I know, we don't have any device tree property for the expiration
> >>>>> date of a public key. See doc/uImage.FIT/signature.txt.
> >>>>
> >>>> Yes, the problem starts with mkimage not writing the dates available in
> >>>> the X509 certificate into the device tree.
> >>>>
> >>>> The dates are accessible via the X509_get0_notBefore() and
> >>>> X509_get0_notAfter() functions of the OpenSSL library.
> >>>>
> >>>>
> >>>> Takahiro, could you, please, also look at the UEFI secure boot
> >>>> implementation in U-Boot. EDK2 validates the dates via the embedded
> >>>> OpenSSL library in
> >>>> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function
> >>>> verify_chain(). We should not do less.
> >>>
> >>> Does that mean that verified boot stops/fails when the date expires ?
> >>> How do you guarantee that the device has the correct time ?
> >>>
> >>>    Jocke
> >>>
> >>
> >> We talking of the validity time range of the public key and the date of
> >> signature of the intermediate certificates and the loaded image. No RTC
> >
> > OK, but still: will an invalid time range then stop booting ?
> >
> >
> 
> If you use a certificate that is valid until 2019 to sign an image or an
> intermediate certificate in 2020, the image must not be loaded.

Right.  And to be clear, the case of using a valid until 2021 cert to
sign everything in 2020 will be seen as valid in 2022.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200916/31301554/attachment.sig>