Teddy, On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed <[email protected]> wrote: > > Hi all, question, is anyone using the U-Boot verified-boot in production?
I have been digging into this lately as well, and actually noticed a few other things on top of what you are seeing, mentioned below. I don't want to derail this email thread too much, but there is another patch working on signature-key fallback sequencing as well (which claims to be supported). > I am using configuration verification for several OpenCompute/OpenBMC > boards. After a deep-dive review I found some edge cases that in rare > circumstances could lead to a signature check bypass. Slightly related: if you use two fit images to boot it seems that the second will never be verified. Once the first is deemed OK it just lets the boot happen. > I think this is > low-risk at best since the scenario requires special hardware behavior > to exist. Our board were susceptible in the general sense, but we had > implemented some additional sanity checks on the FIT structures that > prevented this. > > There are some proposed changes that attempt to mitigate this [1], > [2], [3]. Any one of these changes mitigates the bypass scenario. If > you don't mind reaching out to me I can share the exact > situation/details. > > [1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html > [2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html > [3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html > > Thanks, > -Teddy Thanks, Sam _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
