From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: U-Boot FIT Signature Verification
Date: Thu, 17 Sep 2020 14:26:03 +0900 [thread overview]
Message-ID: <20200917052603.GA3099713@laputa> (raw)
In-Reply-To: <f5c8aea1-1d58-05f3-d9f0-1d8797dac118@gmx.de>
On Wed, Sep 16, 2020 at 01:14:56PM +0200, Heinrich Schuchardt wrote:
> On 16.09.20 10:13, AKASHI Takahiro wrote:
> > On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
> >> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
> >>> Hi there,
> >>>
> >>> Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
> >>>
> >>> Cheers,
> >>> Andy
> >>>
> >>
> >> Hello Philippe,
> >>
> >> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> >> find a comparison of the date on which an image was signed with the
> >> expiry date of the certificate. Shouldn't there be a check? Or did I
> >> simply look into the wrong function?
> >
> > I think Simon is the right person to answer this question, but
> >
> > as far as I know, we don't have any device tree property for the expiration
> > date of a public key. See doc/uImage.FIT/signature.txt.
>
> Yes, the problem starts with mkimage not writing the dates available in
> the X509 certificate into the device tree.
>
> The dates are accessible via the X509_get0_notBefore() and
> X509_get0_notAfter() functions of the OpenSSL library.
>
>
> Takahiro, could you, please, also look at the UEFI secure boot
> implementation in U-Boot. EDK2 validates the dates via the embedded
> OpenSSL library in
> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function
> verify_chain(). We should not do less.
Yes, we do the check. See pkcs7_verify_one() in lib/crypto/pkcs7_verify.c.
-Takahiro Akashi
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2020-09-17 5:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 17:26 U-Boot FIT Signature Verification Andrii Voloshyn
2020-09-15 23:19 ` Heinrich Schuchardt
2020-09-16 8:13 ` AKASHI Takahiro
2020-09-16 11:14 ` Heinrich Schuchardt
2020-09-16 11:40 ` Joakim Tjernlund
2020-09-16 11:55 ` Heinrich Schuchardt
2020-09-16 12:05 ` Joakim Tjernlund
2020-09-16 12:44 ` Heinrich Schuchardt
2020-09-16 19:54 ` Tom Rini
2020-09-17 5:33 ` takahiro.akashi at linaro.org
2020-09-17 5:57 ` takahiro.akashi at linaro.org
2020-09-17 5:26 ` AKASHI Takahiro [this message]
2020-09-16 20:01 ` Philippe REYNES
-- strict thread matches above, loose matches on Subject: below --
2020-09-16 15:31 REITHER Robert - Contractor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200917052603.GA3099713@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.