From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko Schocher Date: Tue, 06 May 2014 08:38:05 +0200 Subject: [U-Boot] Verified boot and Legacy Kernel Images In-Reply-To: References: Message-ID: <5368834D.1080206@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hello Mike, Am 05.05.2014 16:27, schrieb Mike Pearce: > Please help as I am confused. > > I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it > works fine with FIT images. However it still boots the resident legacy > kernal that has not been signed. > > This means that anyone wishing to circumvent the signed hash can do so by > replacing the image file with a legacy one. That makes for a security hole > and so I must have done something wrong. No, you did nothing wrong ... > When I look at function bootm_find_os() from file cmd_bootm.c its switch > statement provides this behaviour - > > case IMAGE_FORMAT_LEGACY: > cool, its a go from me. Verify using an unsigned hash. > break; > #if defined(CONFIG_FIT) > case IMAGE_FORMAT_FIT: > do the signed hash checks when loading the image. > break; > > What I cannot find in the code is anything that I can compile in to prevent > an unsigned legacy kernel from booting. The defines I already used include > > #define CONFIG_OF_LIBFDT > #define CONFIG_CMD_HASH > #define CONFIG_HASH_VERIFY > #define CONFIG_FIT_SIGNATURE > #define CONFIG_RSA See this thread: http://lists.denx.de/pipermail/u-boot/2014-May/178800.html in particular Simons statement: http://lists.denx.de/pipermail/u-boot/2014-May/178922.html -> Currently, nothing prevents to boot an unsigned legacy kernel ... Patches are welcome ;-) bye, Heiko -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany