FIT signature security flay
Simon Glass
sjg at chromium.org
Mon Oct 14 21:13:22 CEST 2024
Hi,
On Mon, 14 Oct 2024 at 08:24, Sean Anderson <sean.anderson at seco.com> wrote:
>
> Hi Lev,
>
> On 10/14/24 04:42, Lev R. Oshvang wrote:
> > Hi Sean,
> >
> > I am looking for help with Uboot FIT signatures problem
> >
> >
> >
> > I started to work with FIT image (u-boot 2024) and managed to sign
> > kernel and load this image with Uboot using 'required' property in
> > signature as :
> >
> > signature-1 {
> >
> > algo = "sha1,rsa2048";
> >
> > key-name-hint = "dev_key";
> >
> > sign-images="kernel";
> >
> > required="conf";
> >
> > {
> >
> > Iminfo reports"
> >
> > ## Checking hash(es) for FIT Image at 01000000 ...
> >
> > Hash(es) for Image 0 (kernel-1): sha256+ sha256,rsa2048:dev_key-
> >
> >
> >
> > To test the procedure, I generated another private key and signed
> > another kernel with this new key on another Linux host.
> >
> >
> >
> >
> >
> > I expected bootm to fail, but it just happily loads this image!!!
> >
> > Even an image without a signature but with a valid hash is not
> > rejected against my expectations.
> >
> > In this case iminfo report only hash is OK
>
> Did you embed the public key into your U-Boot devicetree with `mkimage -K` ?
Also see the walkthrough at [1] which might help.
The 'required' field needs to be in the public-key information (i.e.
protected and separate from the image being loaded), not the signature
node, since anyone can change the signature node.
Regards,
Simon
[1] https://docs.u-boot.org/en/latest/usage/fit/beaglebone_vboot.html
More information about the U-Boot
mailing list