Hello developers,
I've setup verified boot on a imx6 board and want to protect my device against
the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt".
That's why, as in doc/uImage.FIT/signed-configs.its, I have only implemented
signed configurations and no signed images.
My public key in my embedded fdt has the property required = "conf";.
Booting a signed config with "bootm ${loadaddr}#conf@1" and an embedded public
key required for configurations does work as expected and do fail to boot if I
modify the config, image, hash, signature and so on.
If I boot any fit image(signed and unsigned) with "bootm ${loadaddr}:kernel@1 -
fdt@1" to select the subimages directly, I could boot every image combination
without signature verification.
Is this the expected behavior?
I thought if I had set the public key in in the embedded fdt as required for
configurations, bootm does only boot configurations and no subimages directly...
Regards
Johann Neuhauser
_______________________________________________
U-Boot mailing list
[email protected]
https://lists.denx.de/listinfo/u-boot
