* [PATCH v2] ref-manual: variable FIT_SIGN_INDIVIDUAL mix-and-match attacks
@ 2025-02-25 21:37 Adrian Freihofer
2025-03-03 11:16 ` [docs] " Antonin Godard
0 siblings, 1 reply; 2+ messages in thread
From: Adrian Freihofer @ 2025-02-25 21:37 UTC (permalink / raw)
To: docs; +Cc: marex, Adrian Freihofer
Incorporate the lessons learned from a regression introduced with commit
29d32063ac0abb1017756f62f94aec22ce305b60 and fixed with commit
d63dba2f98edf89558647e336b19d805b00f4d98 into the documentation.
The use of the variable FIT_SIGN_INDIVIDUAL is explicitly discouraged.
It is also noted that this variable may be removed. It is important that
we try to simplify the implementation of the FIT screen as much as
possible. Adding appropriate notes to the documentation is a first step
towards this direction.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
---
documentation/ref-manual/variables.rst | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index b432488a012..645bb1453d1 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -3173,7 +3173,18 @@ system and gives an overview of their function and contents.
intending to verify signatures in another context than booting via
U-Boot.
- This variable is set to "0" by default.
+ If :term:`UBOOT_SIGN_ENABLE` is set to “1” and :term:`FIT_SIGN_INDIVIDUAL`
+ is left at its default value of “0”, only the configurations are signed.
+ However, the configuration signatures include the hashes of the referenced
+ image nodes. This means that the entire FIT image is appropriately signed.
+
+ If :term:`UBOOT_SIGN_ENABLE` is set to “1” and :term:`FIT_SIGN_INDIVIDUAL`
+ is set to “1”, then the FIT image is signed twice, which is redundant.
+ As this leads to additional complexity without providing any obvious
+ advantage, this feature will likely be removed in a future version.
+
+ Signing only the image nodes is intentionally not implemented by OE-core,
+ as it is vulnerable to mix-and-match attacks.
:term:`FIT_SIGN_NUMBITS`
Size of the private key used in the FIT image, in number of bits.
--
2.47.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [docs] [PATCH v2] ref-manual: variable FIT_SIGN_INDIVIDUAL mix-and-match attacks
2025-02-25 21:37 [PATCH v2] ref-manual: variable FIT_SIGN_INDIVIDUAL mix-and-match attacks Adrian Freihofer
@ 2025-03-03 11:16 ` Antonin Godard
0 siblings, 0 replies; 2+ messages in thread
From: Antonin Godard @ 2025-03-03 11:16 UTC (permalink / raw)
To: adrian.freihofer, docs; +Cc: marex, Adrian Freihofer
Hi Adrian,
On Tue Feb 25, 2025 at 10:37 PM CET, Adrian Freihofer via lists.yoctoproject.org wrote:
> Incorporate the lessons learned from a regression introduced with commit
> 29d32063ac0abb1017756f62f94aec22ce305b60 and fixed with commit
> d63dba2f98edf89558647e336b19d805b00f4d98 into the documentation.
>
> The use of the variable FIT_SIGN_INDIVIDUAL is explicitly discouraged.
> It is also noted that this variable may be removed. It is important that
> we try to simplify the implementation of the FIT screen as much as
> possible. Adding appropriate notes to the documentation is a first step
> towards this direction.
>
> Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
> ---
> documentation/ref-manual/variables.rst | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index b432488a012..645bb1453d1 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -3173,7 +3173,18 @@ system and gives an overview of their function and contents.
> intending to verify signatures in another context than booting via
> U-Boot.
>
> - This variable is set to "0" by default.
> + If :term:`UBOOT_SIGN_ENABLE` is set to “1” and :term:`FIT_SIGN_INDIVIDUAL`
s/“”/""/, Sphinx will handle the quotes
> + is left at its default value of “0”, only the configurations are signed.
> + However, the configuration signatures include the hashes of the referenced
> + image nodes. This means that the entire FIT image is appropriately signed.
s/image nodes/nodes/? a node can be anything (kernel, device tree...)
I feel that "the entire FIT image is appropriately signed" is a bit of a
shortcut. Instead I would suggest something like:
"""
This means that the integrity of the entire FIT image is ensured because each
hash is compared against a runtime-computed hash for each node.
"""
> +
> + If :term:`UBOOT_SIGN_ENABLE` is set to “1” and :term:`FIT_SIGN_INDIVIDUAL`
> + is set to “1”, then the FIT image is signed twice, which is redundant.
> + As this leads to additional complexity without providing any obvious
> + advantage, this feature will likely be removed in a future version.
> +
> + Signing only the image nodes is intentionally not implemented by OE-core,
s/OE-core/:term:`OpenEmbedded-Core (OE-Core)`/
> + as it is vulnerable to mix-and-match attacks.
>
> :term:`FIT_SIGN_NUMBITS`
> Size of the private key used in the FIT image, in number of bits.
Thanks this is a lot clearer to me than the previous version.
Antonin
--
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-03-03 11:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-25 21:37 [PATCH v2] ref-manual: variable FIT_SIGN_INDIVIDUAL mix-and-match attacks Adrian Freihofer
2025-03-03 11:16 ` [docs] " Antonin Godard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.