U-Boot FIT Signature Verification

AKASHI Takahiro takahiro.akashi at linaro.org
Thu Sep 17 07:26:03 CEST 2020


On Wed, Sep 16, 2020 at 01:14:56PM +0200, Heinrich Schuchardt wrote:
> On 16.09.20 10:13, AKASHI Takahiro wrote:
> > On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
> >> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
> >>> Hi there,
> >>>
> >>>     Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
> >>>
> >>> Cheers,
> >>> Andy
> >>>
> >>
> >> Hello Philippe,
> >>
> >> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> >> find a comparison of the date on which an image was signed with the
> >> expiry date of the certificate. Shouldn't there be a check? Or did I
> >> simply look into the wrong function?
> >
> > I think Simon is the right person to answer this question, but
> >
> > as far as I know, we don't have any device tree property for the expiration
> > date of a public key. See doc/uImage.FIT/signature.txt.
> 
> Yes, the problem starts with mkimage not writing the dates available in
> the X509 certificate into the device tree.
> 
> The dates are accessible via the X509_get0_notBefore() and
> X509_get0_notAfter() functions of the OpenSSL library.
> 
> 
> Takahiro, could you, please, also look at the UEFI secure boot
> implementation in U-Boot. EDK2 validates the dates via the embedded
> OpenSSL library in
> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function
> verify_chain(). We should not do less.

Yes, we do the check. See pkcs7_verify_one() in lib/crypto/pkcs7_verify.c.

-Takahiro Akashi


> Best regards
> 
> Heinrich


More information about the U-Boot mailing list