[PATCH] boot: don't enable booti/bootz by default if FIT_SIGNATURE is set

Heinrich Schuchardt xypron.glpk at gmx.de
Wed Nov 3 19:24:34 CET 2021 

On 11/3/21 08:44, Rover Mo wrote:
> To prevent boot unsigned images, same as CONFIG_LEGACY_IMAGE_FORMAT,

nits:
%s/boot/booting/

> don't enable CONFIG_CMD_BOOTI and CONFIG_CMD_BOOTI by default if
> CONFIG_FIT_SIGNATURE is enabled.

Disabling the booti and the bootz command does not stop you from booting
unsigned images, e.g. using the bootefi command.

>
> Signed-off-by: Yuezhang.Mo <myzmzz at 126.com>
> ---
>   cmd/Kconfig | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 5b30b13e43..5f9dd91928 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -203,15 +203,24 @@ config BOOTM_EFI
>
>   config CMD_BOOTZ
>   	bool "bootz"
> +	default y if !FIT_SIGNATURE
>   	help
>   	  Boot the Linux zImage
> +	  It is enabled by default for backward compatibility, unless
> +	  FIT_SIGNATURE is set where it is disabled so that unsigned images
> +	  cannot be loaded. If a board needs to  boot a Linux zImage in this
> +	  case, enable it here.
>
>   config CMD_BOOTI
>   	bool "booti"
>   	depends on ARM64 || RISCV
> -	default y
> +	default y if !FIT_SIGNATURE

How about CONFIG_EFI_SECURE_BOOT? Should this also disable the default?

>   	help
>   	  Boot an AArch64 Linux Kernel image from memory.
> +	  It is enabled by default for backward compatibility, unless

Backwards relative to UEFI?

This focuses very much on default values. How about:

"The booti command is used for launching unsigned AArch64 and RISC-V
Linux kernel images. If you want to have secure boot either via signed
FIT images or via signed UEFI images, this option should be disabled."

> +	  FIT_SIGNATURE is set where it is disabled so that unsigned images
> +	  cannot be loaded. If a board needs to boot an AArch64 Linux Kernel

Why AArch64 and not RISC-V?

Who needs all those lines.

Best regards

Heinrich

> +	  image in this case, enable it here.
>
>   config BOOTM_LINUX
>   	bool "Support booting Linux OS images"
>

More information about the U-Boot mailing list