[U-Boot] Secure update of uboot devices?

[Wolfgang Denk <wd@denx.de>]

Dear Andreas,

In message <CAB+EkH4j-UoUyHb=XgDbGRncX=Oq6+3+MNjWStiuojoOYUcMPw@mail.gmail.com> you wrote:
>
> sha1sum sum is yes enough to verify that no files have been modified on the
> file system on the already installed Linux device.

It is also good enough to ensure that the files on any distribution
media have not been corrupted or modified in some way.  Of course it
dies not protect against intentional modifications.

> But my case here is if one need to update the software on the device out
> somewhere in the world we have now made a usb stick and uboot looks for
> special files first on the usb stick before it continues normal boot. How
> can one ensure that the software on the usb stick is not altered on the way
> to include some additional unwanted features?

You cannot.  Actually you would have to insure first that the U-Boot
running on that system has not been tampered with.  If I were to
attack such a system, I'd probably first install (or otherwise run) a
version of U-boot that has any such security checks disabled or
removed.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
There is, however, a strange, musty smell in the air that reminds  me
of something...hmm...yes...I've got it...there's a VMS nearby, or I'm
a Blit.          - Larry Wall in Configure from the perl distribution