On Wed, Dec 13, 2017 at 09:41:35PM +0530, Jagan Teki wrote: > On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard > <maxime.rip...@free-electrons.com> wrote: > > Hi, > > > > On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote: > >> Add verified-boot documentation for sunxi a64 platform. > >> > >> Signed-off-by: Jagan Teki <ja...@amarulasolutions.com> > >> --- > >> Changes for v3: > >> - Create separate document file > >> Changes for v2: > >> - New patch > >> > >> doc/README.sunxi | 193 > >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++ > >> 1 file changed, 193 insertions(+) > >> create mode 100644 doc/README.sunxi > >> > >> diff --git a/doc/README.sunxi b/doc/README.sunxi > >> new file mode 100644 > >> index 0000000..ef4f735 > >> --- /dev/null > >> +++ b/doc/README.sunxi > >> @@ -0,0 +1,193 @@ > >> +# > >> +# Copyright (C) 2017 Amarula Solutions > >> +# > >> +# SPDX-License-Identifier: GPL-2.0+ > >> +# > >> + > >> +U-Boot on SunXi > >> +============== > >> + > >> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi > >> platform. > >> + > >> + 1. Verified Boot > >> + > >> +1. Verified Boot > >> +================ > >> + > >> +U-Boot supports an image verification method called "Verified Boot". > >> +This is a brief tutorial to utilize this feature for the Sunxi A64 > >> platform. > >> +You will find details documents in the doc/uImage.FIT directory. > >> + > >> +Here, we take Orangepi Win board for example, but it should work for any > >> +other boards including 32 bit SoCs. > >> + > >> +1. Generate RSA key to sign > >> + > >> + $ mkdir keys > >> + $ openssl genpkey -algorithm RSA -out keys/dev.key \ > >> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 > >> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt > >> + > >> +Two files "dev.key" and "dev.crt" will be created. The base name is > >> arbitrary, > >> +but need to match to the "key-name-hint" property described below. > > > > I really think that the very first thing you must talk about in that > > documentation is that it will not protect the SPL itself and that this > > is not a secure setup. > > Based on my experience with U-boot, verified-boot here doesn't relate > to protect SPL or U-Boot. it's generally for kernel and followed > stages. I don't think we can think here too-much. some reference > doc/README.uniphier
Except that when you read verified boot, it also comes with the assumption that you're actually protected against something. In this particular case, you're protected against exactly nothing. Anyone could come up, replace the bootloader to remove the signature check, and you're doomed. It's trivial to do, and you're not mentionning it anywhere. Maxime -- Maxime Ripard, Free Electrons Embedded Linux and Kernel engineering http://free-electrons.com
signature.asc
Description: PGP signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
