Fit Signature booting without public key

Tom Rini trini at konsulko.com
Tue May 16 17:30:06 CEST 2023


On Tue, May 16, 2023 at 12:11:24PM +0530, Manorit Chawdhry wrote:

> Hi All,
> 
> I recently came upon a discussion that had happened a while back [0].
> I want to continue the discussion as I believe the issue still persists
> and the checks around fit signature booting are still the same, that
> allows booting the fit without changing the uboot dtb.
> 
> Allowing the signed fit image without this seems to be a bypass that is
> available and should not be allowed without any gate to it for people
> who'd like to enforce these signing checks. Let me know if there is a
> config already available for it and if not, are there any plans to
> enable such a config in future. Would like to hear your opinions on
> this as I believe this should be fixed as soon as possible.
> 
> [0]: https://u-boot.denx.narkive.com/dEClg9dW/signed-fit-image-boots-without-public-key

Yes, can you please reproduce the issue in question on the current tree,
with a supported platform and provide the defconfig and steps you used
for this issue? Thanks.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230516/3b9af034/attachment.sig>


More information about the U-Boot mailing list