[PATCH 0/2] Enable strict signature verification for FIT
Oleksandr Suvorov
oleksandr.suvorov at foundries.io
Thu Sep 16 15:09:56 CEST 2021
FIT load checks the signature on loadable images, but just continues
in the case of a failure. This is undesirable behavior because the boot
process depends on the authenticity of every loadable part.
Add a check that verifies the FIT's configuration block, and fails if
it's not present or the signature doesn't match.
Henry Beberman (1):
spl: Add CONFIG_SPL_FIT_SIGNATURE_STRICT
Ricardo Salveti (1):
cmd: Add CONFIG_FIT_SIGNATURE_STRICT
cmd/fpga.c | 14 ++++++++++++++
cmd/source.c | 14 ++++++++++++++
cmd/ximg.c | 14 ++++++++++++++
common/Kconfig.boot | 11 +++++++++++
common/spl/spl_fit.c | 21 ++++++++++++++++++++-
5 files changed, 73 insertions(+), 1 deletion(-)
--
2.31.1
More information about the U-Boot
mailing list