* [U-Boot-Users] What methods of software authentication does U-Boot support?
@ 2008-04-18 17:01 Ken.Fuchs at bench.com
2008-04-18 21:32 ` Kim Phillips
0 siblings, 1 reply; 4+ messages in thread
From: Ken.Fuchs at bench.com @ 2008-04-18 17:01 UTC (permalink / raw)
To: u-boot
Goal:
U-Boot will run only software that has been
authenticated to be from the system's producer.
--- A Potential Authentication Method ---
The producer of the system generates a cryptographic
[private-key, public-key] pair, storing the public-key
on the same media as U-Boot (i.e. NOR flash; perhaps
as a read-only environment variable) on all systems
and keeping the private-key hidden at a secure site.
A hash of the software is generated, encrypted
with the private key and shipped with the software.
U-Boot reads the private-key encrypted hash and decodes
it with its public-key. U-Boot loads the software and
generates the hash. If both hashes match, the software
is authenticated and U-Boot executes the authenticated
software.
--- Comment ---
U-Boot obviously supports loading and verification of
the generated hash, but I haven't been able to locate
public-key cryptographic or other authentication support
in U-Boot. Perhaps, it is available as a loadable
(stand-alone) module?
Any comments or suggestions?
Sincerely,
Ken Fuchs
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot-Users] What methods of software authentication does U-Boot support?
2008-04-18 17:01 [U-Boot-Users] What methods of software authentication does U-Boot support? Ken.Fuchs at bench.com
@ 2008-04-18 21:32 ` Kim Phillips
2008-04-20 23:32 ` Wolfgang Denk
0 siblings, 1 reply; 4+ messages in thread
From: Kim Phillips @ 2008-04-18 21:32 UTC (permalink / raw)
To: u-boot
On Fri, 18 Apr 2008 12:01:38 -0500
<Ken.Fuchs@bench.com> wrote:
> Goal:
>
> U-Boot will run only software that has been
> authenticated to be from the system's producer.
>
> --- A Potential Authentication Method ---
>
> The producer of the system generates a cryptographic
> [private-key, public-key] pair, storing the public-key
> on the same media as U-Boot (i.e. NOR flash; perhaps
> as a read-only environment variable) on all systems
> and keeping the private-key hidden at a secure site.
> A hash of the software is generated, encrypted
> with the private key and shipped with the software.
>
> U-Boot reads the private-key encrypted hash and decodes
> it with its public-key. U-Boot loads the software and
> generates the hash. If both hashes match, the software
> is authenticated and U-Boot executes the authenticated
> software.
>
> --- Comment ---
>
> U-Boot obviously supports loading and verification of
> the generated hash, but I haven't been able to locate
> public-key cryptographic or other authentication support
> in U-Boot. Perhaps, it is available as a loadable
> (stand-alone) module?
>
> Any comments or suggestions?
>
this patch taps into openssl:
http://thread.gmane.org/gmane.comp.boot-loaders.u-boot/23977
or you might want to reuse some of linux' crypto library code.
Kim
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot-Users] What methods of software authentication does U-Boot support?
2008-04-18 21:32 ` Kim Phillips
@ 2008-04-20 23:32 ` Wolfgang Denk
2008-04-21 12:07 ` Kenneth Johansson
0 siblings, 1 reply; 4+ messages in thread
From: Wolfgang Denk @ 2008-04-20 23:32 UTC (permalink / raw)
To: u-boot
In message <20080418163211.d5a1ee64.kim.phillips@freescale.com> you wrote:
>
> > U-Boot will run only software that has been
> > authenticated to be from the system's producer.
Seems it's time to start a discussion to switch to GPL v3...
> > Any comments or suggestions?
> >
> this patch taps into openssl:
Be careful. Linking against openssl is not possible because the
openssl licence is not compatible with GPL; see for example
http://www.gnome.org/~markmc/openssl-and-the-gpl.html
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Your own mileage may vary.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot-Users] What methods of software authentication does U-Boot support?
2008-04-20 23:32 ` Wolfgang Denk
@ 2008-04-21 12:07 ` Kenneth Johansson
0 siblings, 0 replies; 4+ messages in thread
From: Kenneth Johansson @ 2008-04-21 12:07 UTC (permalink / raw)
To: u-boot
On Mon, 2008-04-21 at 01:32 +0200, Wolfgang Denk wrote:
> In message <20080418163211.d5a1ee64.kim.phillips@freescale.com> you wrote:
> >
> > > U-Boot will run only software that has been
> > > authenticated to be from the system's producer.
>
> Seems it's time to start a discussion to switch to GPL v3...
>
>
> > > Any comments or suggestions?
> > >
> > this patch taps into openssl:
>
> Be careful. Linking against openssl is not possible because the
> openssl licence is not compatible with GPL; see for example
> http://www.gnome.org/~markmc/openssl-and-the-gpl.html
>
> Best regards,
>
> Wolfgang Denk
>
For a u-boot friendly version of RSA look at
http://xyssl.org/code/source/rsa/
I have not used it as the client put the secure(authenticated) image
thing on hold but it was the best I could find in the limited time I put
into it.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-04-21 12:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-18 17:01 [U-Boot-Users] What methods of software authentication does U-Boot support? Ken.Fuchs at bench.com
2008-04-18 21:32 ` Kim Phillips
2008-04-20 23:32 ` Wolfgang Denk
2008-04-21 12:07 ` Kenneth Johansson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox