From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko Schocher Date: Mon, 12 May 2014 09:36:54 +0200 Subject: [U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format In-Reply-To: <20140509191248.GV22182@bill-the-cat> References: <1399547118-5136-1-git-send-email-hs@denx.de> <1399547118-5136-2-git-send-email-hs@denx.de> <536B8062.6030209@kaew.be> <536C63B8.2010801@denx.de> <20140509133534.BE41538043A@gemini.denx.de> <20140509191248.GV22182@bill-the-cat> Message-ID: <53707A16.20703@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hello Tom, Simon, Wolfgang, Lars, Am 09.05.2014 21:12, schrieb Tom Rini: > On Fri, May 09, 2014 at 12:47:44PM -0600, Simon Glass wrote: >> Hi Wolfgang, >> >> On 9 May 2014 07:35, Wolfgang Denk wrote: >>> Dear Simon, >>> >>> In message you wrote: >>>> >>>> I agree that it might be dangerous to allow legacy boot when signature >>>> verification is used. It would be nice to fix that. >>> >>> I think there is general agreement on this point. >>> >>>> This means that legacy is on by default, unless signature verification >>>> is enabled, in which case the default flips. But I worry that it might >>>> only confuse people. This seems like a Wolfgang / Tom question :-) >>> >>> OK, here is my 0.02? to it: >>> >>> I think, no matter how we implement it, this should exactly the >>> behaviour. Average users tend to avoid reading documentation, so if >>> they enable signature verification the most likely want a secure >>> system, so we should give them just that. Only if someone really >>> knows what he is doing he should be able to enable support for >>> (insecure) legacy images. >>> >>> As for the implementation - yes, the >>> #ifdef CONFIG_FIT_SIGNATURE_VERIFICATION >>> approach indeed does not look very nice, but then, it appears to be >>> the straightforward implementation of what we want to do? >> >> OK, well in that case, let's do it that way. > > Agreed, then we can look for clever ways to refactor the code after. Ok, summary for one first step (I can do): - introduce CONFIG_IMAGE_FORMAT_LEGACY based on patch [1] (rename "+#if !defined(CONFIG_DISABLE_IMAGE_FORMAT_LEGACY)" to "+#if defined(CONFIG_IMAGE_FORMAT_LEGACY)") - set CONFIG_IMAGE_FORMAT_LEGACY as default: (little bit adapted towards simons CONFIG_FIT_SIGNATURE_VERIFICATION proposal ... I dont want to introduce a new define ...) in config_defaults: +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_IMAGE_LEGACY +#endif so, if boards not define CONFIG_FIT_SIGNATURE, they have default CONFIG_IMAGE_FORMAT_LEGACY enabled (as currently). If CONFIG_FIT_SIGNATURE is enabled, legacy image format is default disabled (change current behaviour of boards, which use this feature! This is only the case for: $ grep -lr CONFIG_FIT_SIGNATURE include/ include/configs/zynq-common.h -> Michal, add Michal therefore to Cc include/configs/sandbox.h -> Simon include/configs/ids8313.h -> me include/image.h $ ), but boards can enable it if needed (as ids8313 board needs it ... yes not nice ...) If boards which have not enabled CONFIG_FIT_SIGNATURE and want to disable legacy image format ... we can add this case if we want like: in config_defaults: +#ifndef CONFIG_FIT_SIGNATURE +#define CONFIG_IMAGE_LEGACY +#endif + +#ifdef CONFIG_DISABLE_IMAGE_LEGACY +#undef CONFIG_IMAGE_LEGACY +#endif Is this a way to go? bye, Heiko [1]: [U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format http://lists.denx.de/pipermail/u-boot/2014-May/179190.html -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany