From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: U-Boot FIT Signature Verification
Date: Thu, 17 Sep 2020 14:26:03 +0900 [thread overview]
Message-ID: <20200917052603.GA3099713@laputa> (raw)
In-Reply-To: <f5c8aea1-1d58-05f3-d9f0-1d8797dac118@gmx.de>
On Wed, Sep 16, 2020 at 01:14:56PM +0200, Heinrich Schuchardt wrote:
> On 16.09.20 10:13, AKASHI Takahiro wrote:
> > On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:
> >> On 9/11/20 7:26 PM, Andrii Voloshyn wrote:
> >>> Hi there,
> >>>
> >>> Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?
> >>>
> >>> Cheers,
> >>> Andy
> >>>
> >>
> >> Hello Philippe,
> >>
> >> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot
> >> find a comparison of the date on which an image was signed with the
> >> expiry date of the certificate. Shouldn't there be a check? Or did I
> >> simply look into the wrong function?
> >
> > I think Simon is the right person to answer this question, but
> >
> > as far as I know, we don't have any device tree property for the expiration
> > date of a public key. See doc/uImage.FIT/signature.txt.
>
> Yes, the problem starts with mkimage not writing the dates available in
> the X509 certificate into the device tree.
>
> The dates are accessible via the X509_get0_notBefore() and
> X509_get0_notAfter() functions of the OpenSSL library.
>
>
> Takahiro, could you, please, also look at the UEFI secure boot
> implementation in U-Boot. EDK2 validates the dates via the embedded
> OpenSSL library in
> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function
> verify_chain(). We should not do less.
Yes, we do the check. See pkcs7_verify_one() in lib/crypto/pkcs7_verify.c.
-Takahiro Akashi
> Best regards
>
> Heinrich
next prev parent reply other threads:[~2020-09-17 5:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 17:26 U-Boot FIT Signature Verification Andrii Voloshyn
2020-09-15 23:19 ` Heinrich Schuchardt
2020-09-16 8:13 ` AKASHI Takahiro
2020-09-16 11:14 ` Heinrich Schuchardt
2020-09-16 11:40 ` Joakim Tjernlund
2020-09-16 11:55 ` Heinrich Schuchardt
2020-09-16 12:05 ` Joakim Tjernlund
2020-09-16 12:44 ` Heinrich Schuchardt
2020-09-16 19:54 ` Tom Rini
2020-09-17 5:33 ` takahiro.akashi at linaro.org
2020-09-17 5:57 ` takahiro.akashi at linaro.org
2020-09-17 5:26 ` AKASHI Takahiro [this message]
2020-09-16 20:01 ` Philippe REYNES
-- strict thread matches above, loose matches on Subject: below --
2020-09-16 15:31 REITHER Robert - Contractor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200917052603.GA3099713@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox