Hello Simon,
> > Dear U-Boot devs,
> >
> > I've setup verified boot on a imx6 board and want to protect my device
> against the "mix and match" attacks mentioned in
> "doc/uImage.FIT/signature.txt".
> > That's why I have only implemented signed configurations and no signed
> images as in doc/uImage.FIT/signed-configs.its.
> > My public key in my embedded fdt has the property required = "conf";
> >
> > Booting a signed config with "bootm ${loadaddr}#conf@1" and an
> embedded public key required for configurations does work as expected and
> do fail to boot if I modify the config, image, hash, signature and so on.
> >
> > If I boot any fit image(signed and unsigned) for example with "bootm
> ${loadaddr}:kernel@1 - fdt@1" to select the subimages directly, I could boot
> every image combination without signature verification although a signature
> is enforced for a configuration.
> >
> > Is this the expected behavior?
> >
> > I thought if I had set the public key in in the embedded fdt as required for
> configurations, bootm does only boot signed configurations and no
> subimages directly...
>
> I don't think there is any restriction on that at the moment. You are
> explicitly
> asking to boot particular images rather than a config. So I suppose it would
> be
> odd if U-Boot tried to enforce a config. Are you thinking it should try to
> find a
> config that has those images in it?
No, I expected that I cannot boot sub images directly if there is a required
public key for a configuration.
After a dive into the bootm source I think this is not easily possible to
enforce this behavior.
> But why not just specify the config to bootm?
At first I wanted to use a simple boot script wrapped in a fit image (unsigned)
and
have only the needed commands enabled in U-Boot.
Now I switched to a signed U-Boot script as boot script and can be sure that
this one gets not tampered.
The only bad thing is here that the source command does only have support for
fit sub images and
I have to sign the config and the image of my system image if I had a required
certificate for images and configs.
Probably this behavior should be mentioned in the doc.
Many thanks for the clarification.
Best regards
Johann Neuhauser
_______________________________________________
U-Boot mailing list
[email protected]
https://lists.denx.de/listinfo/u-boot
