Re: [U-Boot] booting signed Images
Hello Simon, Am 05.05.2014 20:31, schrieb Simon Glass: Hi Wolfgang, On 5 May 2014 11:55, Wolfgang Denkw...@denx.de wrote: Dear Simon, In messageCAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=jm98lf96plf...@mail.gmail.com you wrote: Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. But what about legacy uImage files? It appears nothing would stop booting one of those? That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded). One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY. The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it? I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete. bye, Heiko -- DENX Software Engineering GmbH, MD: Wolfgang Denk Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] booting signed Images
Hi Heiko, On 7 May 2014 01:06, Heiko Schocher h...@denx.de wrote: Hello Simon, Am 05.05.2014 20:31, schrieb Simon Glass: Hi Wolfgang, On 5 May 2014 11:55, Wolfgang Denkw...@denx.de wrote: Dear Simon, In messageCAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm 98lf96plf...@mail.gmail.com you wrote: Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. But what about legacy uImage files? It appears nothing would stop booting one of those? That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded). One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY. The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it? I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete. I suggest a new CONFIG option, like CONFIG_DISABLE_IMAGE_FORMAT_LEGACY or possible a device tree option, since if you force disable of the legacy format you are actually removing functionality. At present CONFIG_FIT_SIGNATURE is a capability, and one capability should not normally preclude another. Regards, Simon ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
[U-Boot] booting signed Images
Hello Simon, just talked with Wolfgang about the booting process from signed images, as it is described in: doc/uImage.FIT/verified-boot.txt doc/uImage.FIT/signature.txt If we see it correct, then it is still possible to boot an uImage or a FIT image without signature with bootm when CONFIG_FIT_SIGNATURE is defined. The question raised, if this is a good behaviour. Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? Thanks in advance bye, Heiko -- DENX Software Engineering GmbH, MD: Wolfgang Denk Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] booting signed Images
HI Heiko, On 5 May 2014 01:35, Heiko Schocher h...@denx.de wrote: Hello Simon, just talked with Wolfgang about the booting process from signed images, as it is described in: doc/uImage.FIT/verified-boot.txt doc/uImage.FIT/signature.txt If we see it correct, then it is still possible to boot an uImage or a FIT image without signature with bootm when CONFIG_FIT_SIGNATURE is defined. The question raised, if this is a good behaviour. Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. Regards, Simon ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] booting signed Images
Dear Simon, In message CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=jm98lf96plf...@mail.gmail.com you wrote: Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. But what about legacy uImage files? It appears nothing would stop booting one of those? Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de Accident: A condition in which presence of mind is good, but absence of body is better. ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] booting signed Images
Hi Wolfgang, On 5 May 2014 11:55, Wolfgang Denk w...@denx.de wrote: Dear Simon, In message CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=jm98lf96plf...@mail.gmail.com you wrote: Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable. What Do you think? There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. But what about legacy uImage files? It appears nothing would stop booting one of those? That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded). One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY. Regards, Simon ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] booting signed Images
Dear Simon, In message capnjgz3okq8uzmorq7m7zwdwsfa2yzqct2f69skwgjdymoz...@mail.gmail.com you wrote: There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive. But what about legacy uImage files? It appears nothing would stop booting one of those? That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded). One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY. This makes sense to me. Thanks! Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de I haven't lost my mind -- it's backed up on tape somewhere. ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot