From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko Schocher Date: Wed, 07 May 2014 09:06:04 +0200 Subject: [U-Boot] booting signed Images In-Reply-To: References: <53673F4F.3070503@denx.de> <20140505175504.9FE723809DA@gemini.denx.de> Message-ID: <5369DB5C.4080905@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hello Simon, Am 05.05.2014 20:31, schrieb Simon Glass: > Hi Wolfgang, > > On 5 May 2014 11:55, Wolfgang Denk wrote: >> Dear Simon, >> >> In message you wrote: >>> >>>> Should we not prevent booting uImages or not signed FIT Images when >>>> CONFIG_FIT_SIGNATURE is defined? >>>> Or at least prevent booting such unsigned images through an U-Boot >>>> env variable. >>>> >>>> What Do you think? >>> >>> There is a 'required' property in the public keys which is intended to >>> support this. If you mark a key as 'required then it will need to be >>> verified by any image that is loaded. There is a test for this case, >>> but it may not be comprehensive. >> >> But what about legacy uImage files? It appears nothing would stop >> booting one of those? > > That's right, there is nothing to stop that at present. The > verification happens either on each image (for per-image signing) or > on the selected configuration as a whole (in fit_image_load() when it > sees the kernel being loaded). > > One simple solution might be to check a CONFIG option in > boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY. The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it? I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete. bye, Heiko -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany