[U-Boot] Verified boot and Legacy Kernel Images

[Heiko Schocher <hs@denx.de>]

Hello Mike,

Am 05.05.2014 16:27, schrieb Mike Pearce:
> Please help as I am confused.
>
> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
> works fine with FIT images. However it still boots the resident legacy
> kernal that has not been signed.
>
> This means that anyone wishing to circumvent the signed hash can do so by
> replacing the image file with a legacy one. That makes for a security hole
> and so I must have done something wrong.

No, you did nothing wrong ...

> When I look at function bootm_find_os() from file cmd_bootm.c its switch
> statement provides this behaviour -
>
>   case IMAGE_FORMAT_LEGACY:
>          cool, its a go from me. Verify using an unsigned hash.
>          break;
> #if defined(CONFIG_FIT)
>    case IMAGE_FORMAT_FIT:
>          do the signed hash checks when loading the image.
>          break;
>
> What I cannot find in the code is anything that I can compile in to prevent
> an unsigned legacy kernel from booting. The defines I already used include
>
>    #define CONFIG_OF_LIBFDT
>    #define CONFIG_CMD_HASH
>    #define CONFIG_HASH_VERIFY
>    #define CONFIG_FIT_SIGNATURE
>    #define CONFIG_RSA

See this thread:

http://lists.denx.de/pipermail/u-boot/2014-May/178800.html

in particular Simons statement:
http://lists.denx.de/pipermail/u-boot/2014-May/178922.html

-> Currently, nothing prevents to boot an unsigned legacy kernel ...

Patches are welcome ;-)

bye,
Heiko
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany