[PATCH v2 00/14] Introduce the lwIP network stack
Martin Husemann
martin at NetBSD.org
Mon May 27 11:45:22 CEST 2024
On Mon, May 27, 2024 at 11:36:26AM +0200, Jerome Forissier wrote:
> You're correct. The point I am making is about using a secure
> (authenticated) connection, and I should have clarified that. While using
> HTTPS might not be critical on a local network, things are different when
> downloading from the internet (think man-in-the-middle attacks).
(Sorry if this sounds like nitpkicking, but I am genuinely curious)
How is it supposed to work?
You need not only https but also verify the presented certificate chain,
and for that you need up-to-date root certificates (e.g. the bundle
available from mozilla).
This sounds a bit outside the scope of u-boot to me (or you should
avoid the man-in-the-middle argument, which leaves the still valid
"sites stop offering plain http" argument).
If you really worry about man-in-the-middle you need to download via
https in an environment that does certificate validation, and then
even better verify the hash of the downloaded image. After that you
can offer the image locally - via http, https or tftp - for installations.
Martin
More information about the U-Boot
mailing list