From: Wolfgang Denk <wd@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format
Date: Fri, 09 May 2014 15:35:34 +0200 [thread overview]
Message-ID: <20140509133534.BE41538043A@gemini.denx.de> (raw)
In-Reply-To: <CAPnjgZ1_Cf-eu592YqF0=th7MT1da6Gh7Pv1Lxaf79kV8Lw9OQ@mail.gmail.com>
Dear Simon,
In message <CAPnjgZ1_Cf-eu592YqF0=th7MT1da6Gh7Pv1Lxaf79kV8Lw9OQ@mail.gmail.com> you wrote:
>
> I agree that it might be dangerous to allow legacy boot when signature
> verification is used. It would be nice to fix that.
I think there is general agreement on this point.
> This means that legacy is on by default, unless signature verification
> is enabled, in which case the default flips. But I worry that it might
> only confuse people. This seems like a Wolfgang / Tom question :-)
OK, here is my 0.02? to it:
I think, no matter how we implement it, this should exactly the
behaviour. Average users tend to avoid reading documentation, so if
they enable signature verification the most likely want a secure
system, so we should give them just that. Only if someone really
knows what he is doing he should be able to enable support for
(insecure) legacy images.
As for the implementation - yes, the
#ifdef CONFIG_FIT_SIGNATURE_VERIFICATION
approach indeed does not look very nice, but then, it appears to be
the straightforward implementation of what we want to do?
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Time is an illusion perpetrated by the manufacturers of space.
next prev parent reply other threads:[~2014-05-09 13:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-08 11:05 [U-Boot] [PATCH 0/4] mpc8313: ids8313 board updates Heiko Schocher
2014-05-08 11:05 ` [U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format Heiko Schocher
2014-05-08 13:02 ` mike
2014-05-09 4:29 ` Wolfgang Denk
2014-05-09 5:12 ` Heiko Schocher
2014-05-09 13:13 ` Simon Glass
2014-05-09 13:35 ` Wolfgang Denk [this message]
2014-05-09 18:47 ` Simon Glass
2014-05-09 19:12 ` Tom Rini
2014-05-12 7:36 ` Heiko Schocher
2014-05-12 15:00 ` Tom Rini
2014-05-08 11:05 ` [U-Boot] [PATCH 2/4] mpc8313, signed fit: disable legacy image format on ids8313 board Heiko Schocher
2014-05-08 20:19 ` Kim Phillips
2014-05-08 11:05 ` [U-Boot] [PATCH 3/4] lib, fdt: move fdtdec_get_int() out of lib/fdtdec.c Heiko Schocher
2014-05-09 19:59 ` Simon Glass
2014-05-12 7:09 ` Heiko Schocher
2014-05-08 11:05 ` [U-Boot] [PATCH 4/4] mpc8313: add CONFIG_SYS_GENERIC_BOARD to ids8313 board Heiko Schocher
2014-05-08 20:19 ` Kim Phillips
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140509133534.BE41538043A@gemini.denx.de \
--to=wd@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox