FIT signature security flay

Mon Oct 14 21:13:22 CEST 2024

Hi,

On Mon, 14 Oct 2024 at 08:24, Sean Anderson <sean.anderson at seco.com> wrote:
>
> Hi Lev,
>
> On 10/14/24 04:42, Lev R. Oshvang wrote:
> > Hi Sean,
> >
> > I am looking for help with Uboot FIT  signatures problem
> >
> >
> >
> > I  started to work with FIT image (u-boot 2024)  and managed to sign
> > kernel and load this image with Uboot using 'required' property in
> > signature as  :
> >
> > signature-1 {
> >
> >                                 algo = "sha1,rsa2048";
> >
> >                                 key-name-hint = "dev_key";
> >
> >                                 sign-images="kernel";
> >
> >                                 required="conf";
> >
> >                          {
> >
> > Iminfo reports"
> >
> > ## Checking hash(es) for FIT Image at 01000000 ...
> >
> >    Hash(es) for Image 0 (kernel-1): sha256+ sha256,rsa2048:dev_key-
> >
> >
> >
> > To test the procedure, I generated another private key and signed
> > another kernel with this new key on another Linux host.
> >
> >
> >
> >
> >
> > I expected bootm to fail, but it just happily loads this image!!!
> >
> > Even an image without a signature but with a valid hash is not
> > rejected against my expectations.
> >
> > In this case iminfo report only hash is OK
>
> Did you embed the public key into your U-Boot devicetree with `mkimage -K` ?

Also see the walkthrough at [1] which might help.

The 'required' field needs to be in the public-key information (i.e.
protected and separate from the image being loaded), not the signature
node, since anyone can change the signature node.

Regards,
Simon

[1] https://docs.u-boot.org/en/latest/usage/fit/beaglebone_vboot.html