From: mike <mike@kaew.be>
To: u-boot@lists.denx.de
Subject: [U-Boot] Verified boot and Legacy Kernel Images
Date: Sun, 07 Sep 2014 17:27:37 +0200 [thread overview]
Message-ID: <540C7969.9060309@kaew.be> (raw)
In-Reply-To: <CAPnjgZ35v+s2=GLpGZe7DeR-Pf=rti9s4B0Fi-Sif_kdR5azAg@mail.gmail.com>
Hi Simon,
Thanks and to Heiko also.
Mike
On 09/05/2014 11:54 PM, Simon Glass wrote:
> Hi,
>
> On 6 May 2014 00:38, Heiko Schocher <hs@denx.de> wrote:
>> Hello Mike,
>>
>> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>> Please help as I am confused.
>>>
>>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>>> works fine with FIT images. However it still boots the resident legacy
>>> kernal that has not been signed.
>>>
>>> This means that anyone wishing to circumvent the signed hash can do so by
>>> replacing the image file with a legacy one. That makes for a security hole
>>> and so I must have done something wrong.
>>
>> No, you did nothing wrong ...
>>
>>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>>> statement provides this behaviour -
>>>
>>> case IMAGE_FORMAT_LEGACY:
>>> cool, its a go from me. Verify using an unsigned hash.
>>> break;
>>> #if defined(CONFIG_FIT)
>>> case IMAGE_FORMAT_FIT:
>>> do the signed hash checks when loading the image.
>>> break;
>>>
>>> What I cannot find in the code is anything that I can compile in to
>>> prevent
>>> an unsigned legacy kernel from booting. The defines I already used include
>>>
>>> #define CONFIG_OF_LIBFDT
>>> #define CONFIG_CMD_HASH
>>> #define CONFIG_HASH_VERIFY
>>> #define CONFIG_FIT_SIGNATURE
>>> #define CONFIG_RSA
>>
>> See this thread:
>>
>> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>>
>> in particular Simons statement:
>> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>>
>> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>>
>> Patches are welcome ;-)
> To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
> merged in May. The new default behaviour is to disable legacy format
> unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
> problem.
>
> Note also the -r flag to mkimage which marks a key as 'required to be verified'
>
> Regards,
> Simon
>
prev parent reply other threads:[~2014-09-07 15:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 14:27 [U-Boot] Verified boot and Legacy Kernel Images Mike Pearce
2014-05-06 6:38 ` Heiko Schocher
2014-09-05 21:54 ` Simon Glass
2014-09-07 15:27 ` mike [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540C7969.9060309@kaew.be \
--to=mike@kaew.be \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox