* [U-Boot] Verified boot and Legacy Kernel Images
@ 2014-05-05 14:27 Mike Pearce
2014-05-06 6:38 ` Heiko Schocher
0 siblings, 1 reply; 4+ messages in thread
From: Mike Pearce @ 2014-05-05 14:27 UTC (permalink / raw)
To: u-boot
Please help as I am confused.
I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
works fine with FIT images. However it still boots the resident legacy
kernal that has not been signed.
This means that anyone wishing to circumvent the signed hash can do so by
replacing the image file with a legacy one. That makes for a security hole
and so I must have done something wrong.
When I look at function bootm_find_os() from file cmd_bootm.c its switch
statement provides this behaviour -
case IMAGE_FORMAT_LEGACY:
cool, its a go from me. Verify using an unsigned hash.
break;
#if defined(CONFIG_FIT)
case IMAGE_FORMAT_FIT:
do the signed hash checks when loading the image.
break;
What I cannot find in the code is anything that I can compile in to prevent
an unsigned legacy kernel from booting. The defines I already used include
#define CONFIG_OF_LIBFDT
#define CONFIG_CMD_HASH
#define CONFIG_HASH_VERIFY
#define CONFIG_FIT_SIGNATURE
#define CONFIG_RSA
Thanks,
Mike.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot and Legacy Kernel Images
2014-05-05 14:27 [U-Boot] Verified boot and Legacy Kernel Images Mike Pearce
@ 2014-05-06 6:38 ` Heiko Schocher
2014-09-05 21:54 ` Simon Glass
0 siblings, 1 reply; 4+ messages in thread
From: Heiko Schocher @ 2014-05-06 6:38 UTC (permalink / raw)
To: u-boot
Hello Mike,
Am 05.05.2014 16:27, schrieb Mike Pearce:
> Please help as I am confused.
>
> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
> works fine with FIT images. However it still boots the resident legacy
> kernal that has not been signed.
>
> This means that anyone wishing to circumvent the signed hash can do so by
> replacing the image file with a legacy one. That makes for a security hole
> and so I must have done something wrong.
No, you did nothing wrong ...
> When I look at function bootm_find_os() from file cmd_bootm.c its switch
> statement provides this behaviour -
>
> case IMAGE_FORMAT_LEGACY:
> cool, its a go from me. Verify using an unsigned hash.
> break;
> #if defined(CONFIG_FIT)
> case IMAGE_FORMAT_FIT:
> do the signed hash checks when loading the image.
> break;
>
> What I cannot find in the code is anything that I can compile in to prevent
> an unsigned legacy kernel from booting. The defines I already used include
>
> #define CONFIG_OF_LIBFDT
> #define CONFIG_CMD_HASH
> #define CONFIG_HASH_VERIFY
> #define CONFIG_FIT_SIGNATURE
> #define CONFIG_RSA
See this thread:
http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
in particular Simons statement:
http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
-> Currently, nothing prevents to boot an unsigned legacy kernel ...
Patches are welcome ;-)
bye,
Heiko
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot and Legacy Kernel Images
2014-05-06 6:38 ` Heiko Schocher
@ 2014-09-05 21:54 ` Simon Glass
2014-09-07 15:27 ` mike
0 siblings, 1 reply; 4+ messages in thread
From: Simon Glass @ 2014-09-05 21:54 UTC (permalink / raw)
To: u-boot
Hi,
On 6 May 2014 00:38, Heiko Schocher <hs@denx.de> wrote:
> Hello Mike,
>
> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>
>> Please help as I am confused.
>>
>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>> works fine with FIT images. However it still boots the resident legacy
>> kernal that has not been signed.
>>
>> This means that anyone wishing to circumvent the signed hash can do so by
>> replacing the image file with a legacy one. That makes for a security hole
>> and so I must have done something wrong.
>
>
> No, you did nothing wrong ...
>
>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>> statement provides this behaviour -
>>
>> case IMAGE_FORMAT_LEGACY:
>> cool, its a go from me. Verify using an unsigned hash.
>> break;
>> #if defined(CONFIG_FIT)
>> case IMAGE_FORMAT_FIT:
>> do the signed hash checks when loading the image.
>> break;
>>
>> What I cannot find in the code is anything that I can compile in to
>> prevent
>> an unsigned legacy kernel from booting. The defines I already used include
>>
>> #define CONFIG_OF_LIBFDT
>> #define CONFIG_CMD_HASH
>> #define CONFIG_HASH_VERIFY
>> #define CONFIG_FIT_SIGNATURE
>> #define CONFIG_RSA
>
>
> See this thread:
>
> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>
> in particular Simons statement:
> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>
> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>
> Patches are welcome ;-)
To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
merged in May. The new default behaviour is to disable legacy format
unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
problem.
Note also the -r flag to mkimage which marks a key as 'required to be verified'
Regards,
Simon
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot and Legacy Kernel Images
2014-09-05 21:54 ` Simon Glass
@ 2014-09-07 15:27 ` mike
0 siblings, 0 replies; 4+ messages in thread
From: mike @ 2014-09-07 15:27 UTC (permalink / raw)
To: u-boot
Hi Simon,
Thanks and to Heiko also.
Mike
On 09/05/2014 11:54 PM, Simon Glass wrote:
> Hi,
>
> On 6 May 2014 00:38, Heiko Schocher <hs@denx.de> wrote:
>> Hello Mike,
>>
>> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>> Please help as I am confused.
>>>
>>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>>> works fine with FIT images. However it still boots the resident legacy
>>> kernal that has not been signed.
>>>
>>> This means that anyone wishing to circumvent the signed hash can do so by
>>> replacing the image file with a legacy one. That makes for a security hole
>>> and so I must have done something wrong.
>>
>> No, you did nothing wrong ...
>>
>>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>>> statement provides this behaviour -
>>>
>>> case IMAGE_FORMAT_LEGACY:
>>> cool, its a go from me. Verify using an unsigned hash.
>>> break;
>>> #if defined(CONFIG_FIT)
>>> case IMAGE_FORMAT_FIT:
>>> do the signed hash checks when loading the image.
>>> break;
>>>
>>> What I cannot find in the code is anything that I can compile in to
>>> prevent
>>> an unsigned legacy kernel from booting. The defines I already used include
>>>
>>> #define CONFIG_OF_LIBFDT
>>> #define CONFIG_CMD_HASH
>>> #define CONFIG_HASH_VERIFY
>>> #define CONFIG_FIT_SIGNATURE
>>> #define CONFIG_RSA
>>
>> See this thread:
>>
>> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>>
>> in particular Simons statement:
>> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>>
>> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>>
>> Patches are welcome ;-)
> To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
> merged in May. The new default behaviour is to disable legacy format
> unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
> problem.
>
> Note also the -r flag to mkimage which marks a key as 'required to be verified'
>
> Regards,
> Simon
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-09-07 15:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-05 14:27 [U-Boot] Verified boot and Legacy Kernel Images Mike Pearce
2014-05-06 6:38 ` Heiko Schocher
2014-09-05 21:54 ` Simon Glass
2014-09-07 15:27 ` mike
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox