Problem with U-boot | Configuration Signature not being checked while booting

Tom Rini trini at konsulko.com
Sun Sep 12 17:02:55 CEST 2021


On Sun, Sep 12, 2021 at 02:58:12AM +0500, Moiz Imtiaz wrote:

> Completely agreed, that a fully secure boot on pi won't be achievable
> because the Root of Trust (ROT) cant be established from the BOTROM/EEPROM.
> Plus Pi doesn't have any High Assurance Boot (HAB).  But given the
> scenerio, whatever we can achieve i.e if we can verify the kernel, the
> device tree, from the bootloader, (u-boot)  that would be great.
> 
> Currently the issue with Pi4 is that , signature verification is not being
> done with u-boot, so wondering if that can be made possible.

Right, OK.  Yes, I think it would be possible, but you'll need to
experiment a bit.  You'll basically want to take the signature
information that the U-Boot docs talk about out of the created device
tree, and put it in its own file, and then have the Pi firmware apply
that as an "overlay", as it assembles the tree to use.  Then the regular
mechanism U-Boot uses to use the passed in device tree should work.

> >But that applies to the scenario where the public key is stored in the
> > device tree embedded in u-boot itself as well
> 
> Just for the sake of knowledge, Isn't this the case with all u-boot, that
> the public key is stored in the device tree (control FDT) and is embedded
> in the u-boot.

You're in experimental territory here, yes.  The existing examples all
are on platforms where a prior stage wouldn't be giving us a device
tree.  U-Boot should not actually care where the device tree comes from
so long as it is correct.

I've only got a Pi 3 in my CI lab, and since it's CI I also really hate
fiddling with it since I then end up spending more time re-setting it
for CI.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210912/e049064e/attachment.sig>


More information about the U-Boot mailing list