verified boot (vboot) with secure U-Boot env for SWUpdate

Stefano Babic sbabic at denx.de
Fri Mar 19 18:17:26 CET 2021 

Hi Tim,

On 19.03.21 16:50, Tim Harvey wrote:
> Greetings,
> 
> I'm looking at using SWUpdate to facilitate an A/B ping-pong method of
> firmware updates where a state is stored in U-Boot env by the SWUpdate
> postinst script.

You do not need a postinstall script, yoiu just add the environment to 
the "bootenv" section in sw-description.

> 
> I'm needing to use secure boot with U-Boot's verified boot support and
> am not clear how, if at all, the U-Boot env can be authenticated.
> 
> Is there any authentication support within a flash stored U-boot
> environment that is supported by fw_setenv and if not what is the
> recommendation for removing environment and are there any other
> suggestions for an SWUpdate postinstall script to select the OS image
> to boot after an update?

There is no authentication in U-Boot - I supposed to add a signed 
environment to U-Boot, but then U-Boot won't be able save the env 
because a "saveenv" requires a private key.

The current solution is to use CONFIG_ENV_WRITEABLE_LIST. You have a 
short list (I use just one) of variables that are allowed to be changed, 
while the complete environment is added via CONFIG_EXTRA_ENV and, 
because it is linked to u-boot, is signed as well. If you set your 
script to depend on just one variable to select if A or B can run, you 
can be sure that the rest of environment cannot be compromised. You 
should also set flags for the variable to be sure that it is not changed 
to be a script (just integer are accepted).

Another solution is to use CONFIG_ENV_EMBEDDED and to switch via the 
ssbl_hanlder in SWUpdate. Anyway, support for this easy "switcher" is 
not present in U-Boot and should be added. This left the whole 
environment untouched, and the selection between A/B is done via an 
external structure.

Best regards,
Stefano

-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================

More information about the U-Boot mailing list