Sourcing a signed boot script

Sourcing a signed boot script

[Diego Rondini]

Hi,

I would like to ask if it is possible to source a script after
verifying its signature.

Currently I've been able to source a script from a signed FIT image,
before doing "bootm", with:
source <addr>:<name>
But this way the signature is not checked yet, so the script cannot be trusted.

According to the docs[1] it seems that it's not possible yet to verify
a FIT image signature without also booting the corresponding image. Is
that right?


[1] https://gitlab.denx.de/u-boot/u-boot/blob/v2019.10/doc/uImage.FIT/signature.txt#L580

Thank you,
Diego Rondini

Sourcing a signed boot script

[Lukasz Majewski]

Hi Diego,

> Hi,
> 
> I would like to ask if it is possible to source a script after
> verifying its signature.
> 
> Currently I've been able to source a script from a signed FIT image,
> before doing "bootm", with:
> source <addr>:<name>
> But this way the signature is not checked yet, so the script cannot
> be trusted.
> 
> According to the docs[1] it seems that it's not possible yet to verify
> a FIT image signature without also booting the corresponding image. Is
> that right?

You can look into the "spl" command, which does the FIT parsing (to
prepare data for falcon mode booting).

You may want to re-use such "dry-run" feature to verify the signature,
extract the script and use it.

(And yes, I don't think that checking the signature for script works
out of the box).

> 
> 
> [1]
> https://gitlab.denx.de/u-boot/u-boot/blob/v2019.10/doc/uImage.FIT/signature.txt#L580
> 
> Thank you,
> Diego Rondini




Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20191205/a967bc2c/attachment.sig>

Sourcing a signed boot script

[Diego Rondini]

Hi Lukasz,

On Thu, Dec 5, 2019 at 11:14 PM Lukasz Majewski <lukma@denx.de> wrote:
>
> Hi Diego,
>
> > Hi,
> >
> > I would like to ask if it is possible to source a script after
> > verifying its signature.
> >
> > Currently I've been able to source a script from a signed FIT image,
> > before doing "bootm", with:
> > source <addr>:<name>
> > But this way the signature is not checked yet, so the script cannot
> > be trusted.
> >
> > According to the docs[1] it seems that it's not possible yet to verify
> > a FIT image signature without also booting the corresponding image. Is
> > that right?
>
> You can look into the "spl" command, which does the FIT parsing (to
> prepare data for falcon mode booting).
>
> You may want to re-use such "dry-run" feature to verify the signature,
> extract the script and use it.
>
> (And yes, I don't think that checking the signature for script works
> out of the box).
>

I will have a look at your suggestion and report back the outcome!

Thanks again,
Diego Rondini