[U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format

[Heiko Schocher <hs@denx.de>]

Hello Tom, Simon, Wolfgang, Lars,

Am 09.05.2014 21:12, schrieb Tom Rini:
> On Fri, May 09, 2014 at 12:47:44PM -0600, Simon Glass wrote:
>> Hi Wolfgang,
>>
>> On 9 May 2014 07:35, Wolfgang Denk<wd@denx.de>  wrote:
>>> Dear Simon,
>>>
>>> In message<CAPnjgZ1_Cf-eu592YqF0=th7MT1da6Gh7Pv1Lxaf79kV8Lw9OQ@mail.gmail.com>  you wrote:
>>>>
>>>> I agree that it might be dangerous to allow legacy boot when signature
>>>> verification is used. It would be nice to fix that.
>>>
>>> I think there is general agreement on this point.
>>>
>>>> This means that legacy is on by default, unless signature verification
>>>> is enabled, in which case the default flips. But I worry that it might
>>>> only confuse people. This seems like a Wolfgang / Tom question :-)
>>>
>>> OK, here is my 0.02? to it:
>>>
>>> I think, no matter how we implement it, this should exactly the
>>> behaviour.  Average users tend to avoid reading documentation, so if
>>> they enable signature verification the most likely want a secure
>>> system, so we should give them just that.  Only if someone really
>>> knows what he is doing he should be able to enable support for
>>> (insecure) legacy images.
>>>
>>> As for the implementation - yes, the
>>> #ifdef CONFIG_FIT_SIGNATURE_VERIFICATION
>>> approach indeed does not look very nice, but then, it appears to be
>>> the straightforward implementation of what we want to do?
>>
>> OK, well in that case, let's do it that way.
>
> Agreed, then we can look for clever ways to refactor the code after.

Ok, summary for one first step (I can do):

- introduce CONFIG_IMAGE_FORMAT_LEGACY based on patch [1]
   (rename "+#if !defined(CONFIG_DISABLE_IMAGE_FORMAT_LEGACY)"
    to "+#if defined(CONFIG_IMAGE_FORMAT_LEGACY)")

- set CONFIG_IMAGE_FORMAT_LEGACY as default:
   (little bit adapted towards simons CONFIG_FIT_SIGNATURE_VERIFICATION
    proposal ... I dont want to introduce a new define ...)

in config_defaults:
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_IMAGE_LEGACY
+#endif

so, if boards not define CONFIG_FIT_SIGNATURE, they
have default CONFIG_IMAGE_FORMAT_LEGACY enabled (as currently).

If CONFIG_FIT_SIGNATURE is enabled, legacy image format is default
disabled (change current behaviour of boards, which use this
feature! This is only the case for:

$ grep -lr CONFIG_FIT_SIGNATURE include/
include/configs/zynq-common.h -> Michal, add Michal therefore to Cc
include/configs/sandbox.h -> Simon
include/configs/ids8313.h -> me
include/image.h
$

), but boards can enable it if needed (as ids8313 board needs
it ... yes not nice ...)

If boards which have not enabled CONFIG_FIT_SIGNATURE
and want to disable legacy image format ... we can add this
case if we want like:

in config_defaults:
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_IMAGE_LEGACY
+#endif
+
+#ifdef CONFIG_DISABLE_IMAGE_LEGACY
+#undef CONFIG_IMAGE_LEGACY
+#endif

Is this a way to go?

bye,
Heiko

[1]:
[U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format
http://lists.denx.de/pipermail/u-boot/2014-May/179190.html
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany