u-boot: signature check for u-boot scripts
Heiko Schocher
hs at denx.de
Wed Jan 11 07:13:39 CET 2023
Hello Sean,
Thanks for your answer!
On 10.01.23 17:27, Sean Anderson wrote:
> On 1/10/23 08:18, Heiko Schocher wrote:
>> Hello Simon,
[...]
>> While writting this email ... in [3] the line
>>
>> require = "conf"
>>
>> poped into my eyes .... and in fit_image_verify_required_sigs() there is check:
>>
>> if (!required || strcmp(required, "image"))
>> continue;
>>
>> and yes! changing in [3]
>>
>> -required = "conf";
>> +required = "image";
>>
>> makes sourcing the signed script working (error in case of no
>> signature or wrong signature)! ... but booting the signed fitimage
>> now breaks ... so it seems, I cannot use configuration signing with
>> images signing ?
>>
>> I tried to add two key nodes in signature node of u-boot dtb ... one with
>> require = "conf" and one with require = "image" ... but no luck...
>>
>> Also adding a configurations section to scripts its file did not helped
>> (which will not prevent the problem sourcing a not signed script)
>
> As you discovered, you must either have required = "image", in which case
>
> source :
>
> will be secure. Otherwise, you must use
>
> source \#
>
> Any other way is not secure.
My "hack" checks a configuration signature in fitimage with script in it...
so also "secure" ...
BTW: why we need a env variable to enable checking in cmd/source.c?
I would say, if verify fit images is enabled we always should check
signature ... but this is another question...
So I tried your suggestion:
=> tftp 100000 script.bin.signed;setenv verify 1;source \#100000
Speed: 1000, full duplex
Using ethernet at 24000 device
TFTP from server 192.168.3.1; our IP address is 192.168.3.40
Filename 'script.bin.signed'.
Load address: 0x100000
Loading: #
233.4 KiB/s
done
Bytes transferred = 1679 (68f hex)
## Executing script at 00000000
Wrong image format for "source" command
=>
same for
=> source \#100000:script-1
## Executing script at 00000000
Wrong image format for "source" command
=>
Which is the error message from the switch in image_source_script()
from cmd/source.c ...
(check if fitimage "is okay"):
=> source 100000
## Executing script at 00100000
sha256+ sha256,rsa2048:dev+ Hallo from script
=> source 100000:script-1
## Executing script at 00100000
sha256+ sha256,rsa2048:dev+ Hallo from script
=> source 100000:script-2
## Executing script at 00100000
Can't find 'script-2' FIT subimage
=>
and changing hash in fitimages signature leads to:
=> mw 1001c0 0 1
=> source 100000:script-1
## Executing script at 00100000
sha256+ sha256,rsa2048:dev- Hallo from script
=>
As I described ... problem "hash is detected, but script is executed",
as public key in u-boots dtb has required = "conf"; (as it is used also
for fitimage boot, where we use conf signing)
May you have an example (u-boot.dtb, its and complete working command
for a signed fitimage script)?
The main problem is (I think) that we check for fitimages which are
used for booting kernels, a "signed configuration" and in fitimage for scripts
only "image" signatures ... and a combination of both is not possible
(except I also sign the image nodes in kernel fitimage too ... which
than leads in checking configuration signature and image signature on
boot... but may a way to go (and disabling hash check) ?
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs at denx.de
More information about the U-Boot
mailing list