Dear U-Boot devs,
I've setup verified boot on a imx6 board and want to protect my device against
the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt".
That's why I have only implemented signed configurations and no signed images
as in doc/uImage.FIT/signed-configs.its.
My public key in my embedded fdt has the property required = "conf";
Booting a signed config with "bootm ${loadaddr}#conf@1" and an embedded public
key required for configurations does work as expected and do fail to boot if I
modify the config, image, hash, signature and so on.
If I boot any fit image(signed and unsigned) for example with "bootm
${loadaddr}:kernel@1 - fdt@1" to select the subimages directly, I could boot
every image combination without signature verification although a signature is
enforced for a configuration.
Is this the expected behavior?
I thought if I had set the public key in in the embedded fdt as required for
configurations, bootm does only boot signed configurations and no subimages
directly...
Best regards
Johann Neuhauser
DH electronics GmbH
_______________________________________________
U-Boot mailing list
[email protected]
https://lists.denx.de/listinfo/u-boot
