[PATCH 0/2] RFC: add fdt_add_pubkey tool

Simon Glass sjg at chromium.org
Thu Nov 11 01:31:34 CET 2021 

Hi Jan,

On Wed, 10 Nov 2021 at 13:51, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>
> On 10.11.21 20:36, Simon Glass wrote:
> > Hi Jan,
> >
> > On Wed, 10 Nov 2021 at 09:48, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>
> >> On 10.11.21 17:31, Simon Glass wrote:
> >>> Hi Jan,
> >>>
> >>> On Tue, 9 Nov 2021 at 23:44, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>>>
> >>>> On 10.11.21 01:58, Simon Glass wrote:
> >>>>> Hi Jan,
> >>>>>
> >>>>> On Tue, 9 Nov 2021 at 03:07, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>>>>>
> >>>>>> On 09.11.21 10:37, Roman Kopytin wrote:
> >>>>>>> Can we have discussion with code lines? For me it is not very clear, because it isn't my code.
> >>>>>>>
> >>>>>>
> >>>>>> Please do not top-post.
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Jan Kiszka <jan.kiszka at siemens.com>
> >>>>>>> Sent: Tuesday, November 9, 2021 12:17 PM
> >>>>>>> To: Roman Kopytin <Roman.Kopytin at kaspersky.com>; u-boot at lists.denx.de; Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> >>>>>>> Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool
> >>>>>>>
> >>>>>>> On 08.11.21 16:28, Roman Kopytin wrote:
> >>>>>>>> In order to reduce the coupling between building the kernel and
> >>>>>>>> U-Boot, I'd like a tool that can add a public key to U-Boot's dtb
> >>>>>>>> without simultaneously signing a FIT image. That tool doesn't seem to
> >>>>>>>> exist, so I stole the necessary pieces from mkimage et al and put it
> >>>>>>>> in a single .c file.
> >>>>>>>>
> >>>>>>>> I'm still working on the details of my proposed "require just k out
> >>>>>>>> these n required keys" and how it should be implemented, but it will
> >>>>>>>> probably involve teaching this tool a bunch of new options. These
> >>>>>>>> patches are not necessarily ready for inclusion (unless someone else
> >>>>>>>> finds fdt_add_pubkey useful as is), but I thought I might as well send
> >>>>>>>> it out for early comments.
> >>>>>>>
> >>>>>>> I'd also like to see the usage of this hooked into the build process.
> >>>>>>>
> >>>>>>> And to my understanding of [1], that approach will provide a feature that permits hooking with the build but would expect the key as dtsi fragment. Can we consolidate the approaches?
> >>>>>>>
> >>>>>>> My current vision of a user interface would be a Kconfig option that takes a list of key files to be injected. Maybe make that three lists, one for "required=image", one for "required=conf", and one for optional keys (if that has a use case in practice, no idea).
> >>>>>>>
> >>>>>>> Jan
> >>>>>>>
> >>>>>>> [1]
> >>>>>>> https://lore.kernel.org/u-boot/20210928085651.619892-1-rasmus.villemoes@prevas.dk/
> >>>>>>>
> >>>>>>> --
> >>>>>>> Siemens AG, T RDA IOT
> >>>>>>> Corporate Competence Center Embedded Linux
> >>>>>>>
> >>>>>>
> >>>>>> For what would you like to have code? The kconfig addition?
> >>>>>>
> >>>>>> diff --git a/common/Kconfig.boot b/common/Kconfig.boot
> >>>>>> index d3a12be228..a9ed4d4ec4 100644
> >>>>>> --- a/common/Kconfig.boot
> >>>>>> +++ b/common/Kconfig.boot
> >>>>>> @@ -279,6 +279,14 @@ config SPL_FIT_GENERATOR
> >>>>>>
> >>>>>>  endif # SPL
> >>>>>>
> >>>>>> +config FIT_SIGNATURE_PUB_KEYS
> >>>>>> +       string "Public keys to use for FIT image verification"
> >>>>>> +       depends on FIT_SIGNATURE || SPL_FIT_SIGNATURE
> >>>>>> +       help
> >>>>>> +         Public keys, or certificate files to extract them from, that shall
> >>>>>> +         be used to verify signed FIT images. The keys will be embedded into
> >>>>>> +         the control device tree of U-Boot.
> >>>>>> +
> >>>>>>  endif # FIT
> >>>>>>
> >>>>>>  config LEGACY_IMAGE_FORMAT
> >>>>>>
> >>>>>>
> >>>>>> But note that we are in a design discussion here, and I'm at least
> >>>>>> reluctant to code up n-versions without having some common idea where
> >>>>>> things should move.
> >>>>>
> >>>>> I'm not sure we want this built into U-Boot. I see signing of a
> >>>>> firmware image as a final step, with the keys being added then, e.g.
> >>>>> by binman.
> >>>>
> >>>> This is not signing, this in embedding public key information into build
> >>>> artifacts before they can be signed. As pointed out in my other thread,
> >>>> not having an embedding feature is a major drawback of the current
> >>>> workflow. It easily forces you to rebuild existing build flows in
> >>>> out-of-tree scripts.
> >>>
> >>> The public key is not needed for signing to work, right? I don't
> >>> understand what you are getting at here. If you want to add the public
> >>> key to the image before it is signed, that's fine. I just don't
> >>> understand why you want to do that. Why not have the signer do
> >>> everything?
> >>
> >> A) Because sensitive signing environments will not run arbitrary logic.
> >>    They will hand out the public key, but they may not give you the
> >>    chance to run mkimage with the private key, like you would do during
> >>    development.
> >
> > That's OK, so long as there is a way to get the data to be signed in,
> > and the public key and signature out.
> >
> >>
> >> B) It avoids having to run the signing process in a specific order
> >>    because it already embeds the public key during build, thus
> >>    generates everything that shall be signed upfront.
> >
> > The public key is not signed though. Whether it is present at the
> > start or not is not important.
>
> The public key is signed when it is placed into an image that is signed.
> That is the case, e.g., when injecting it into the SPL control FDT and
> then signing the SPL image. Or when injecting it into the main control
> FDT and signing U-Boot proper afterwards.

Ah OK, so it is signed along with everything else.

Regards,
Simon


>
> Jan
>
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux

More information about the U-Boot mailing list