From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Frysinger Date: Fri, 6 Jan 2012 14:25:52 -0500 Subject: [U-Boot] Secure update of uboot devices? In-Reply-To: References: <20120102100655.1145082311@gemini.denx.de> Message-ID: <201201061425.52983.vapier@gentoo.org> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Friday 06 January 2012 06:24:50 Andreas B?ck wrote: > Actually there seams to exsist some very old patches for this > http://lists.denx.de/pipermail/u-boot/2006-September/016960.html > > Here a paper quite exact what I am after: > http://elinux.org/images/2/28/Trusted_Boot_Loader.pdf > > Is there any toughts on integating this in trunk or should I try to merge > this patch with the git trunk of my own? i think you need to outline exactly what it is you're trying to do. "secure update" and "secure boot" is way too vague. for starters, you need to outline the vectors you're trying to protect against. the arm trustzone whitepaper is a pretty good example of things: http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29- GENC-009492C_trustzone_security_whitepaper.pdf there are many hardware solutions out there for verifying the integrity of u- boot itself before executing it, but they tend to be SoC/arch specific. the trusted boot paper you referred to for example really only makes sense on x86 based platforms. the patch you referred to however is for verifying the integrity of the kernel image that u-boot boots. it doesn't help with u-boot itself. -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: