From mboxrd@z Thu Jan  1 00:00:00 1970
From: mike <mike@kaew.be>
Date: Sun, 07 Sep 2014 17:27:37 +0200
Subject: [U-Boot] Verified boot and Legacy Kernel Images
In-Reply-To: <CAPnjgZ35v+s2=GLpGZe7DeR-Pf=rti9s4B0Fi-Sif_kdR5azAg@mail.gmail.com>
References: <CA+mXcNkQG5LYJcb22ZB8aOXNrOpdkUADh_hoaZaPvCALtJhD=g@mail.gmail.com>	<5368834D.1080206@denx.de>
	<CAPnjgZ35v+s2=GLpGZe7DeR-Pf=rti9s4B0Fi-Sif_kdR5azAg@mail.gmail.com>
Message-ID: <540C7969.9060309@kaew.be>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Simon,

Thanks and to Heiko also.

Mike
On 09/05/2014 11:54 PM, Simon Glass wrote:
> Hi,
>
> On 6 May 2014 00:38, Heiko Schocher <hs@denx.de> wrote:
>> Hello Mike,
>>
>> Am 05.05.2014 16:27, schrieb Mike Pearce:
>>> Please help as I am confused.
>>>
>>> I implemented verified boot on 2014.04 using CONFIG_OF_SEPARATE and it
>>> works fine with FIT images. However it still boots the resident legacy
>>> kernal that has not been signed.
>>>
>>> This means that anyone wishing to circumvent the signed hash can do so by
>>> replacing the image file with a legacy one. That makes for a security hole
>>> and so I must have done something wrong.
>>
>> No, you did nothing wrong ...
>>
>>> When I look at function bootm_find_os() from file cmd_bootm.c its switch
>>> statement provides this behaviour -
>>>
>>>    case IMAGE_FORMAT_LEGACY:
>>>           cool, its a go from me. Verify using an unsigned hash.
>>>           break;
>>> #if defined(CONFIG_FIT)
>>>     case IMAGE_FORMAT_FIT:
>>>           do the signed hash checks when loading the image.
>>>           break;
>>>
>>> What I cannot find in the code is anything that I can compile in to
>>> prevent
>>> an unsigned legacy kernel from booting. The defines I already used include
>>>
>>>     #define CONFIG_OF_LIBFDT
>>>     #define CONFIG_CMD_HASH
>>>     #define CONFIG_HASH_VERIFY
>>>     #define CONFIG_FIT_SIGNATURE
>>>     #define CONFIG_RSA
>>
>> See this thread:
>>
>> http://lists.denx.de/pipermail/u-boot/2014-May/178800.html
>>
>> in particular Simons statement:
>> http://lists.denx.de/pipermail/u-boot/2014-May/178922.html
>>
>> -> Currently, nothing prevents to boot an unsigned legacy kernel ...
>>
>> Patches are welcome ;-)
> To close the loop, Heiko's patch (commit 21d29f7f) to fix this was
> merged in May. The new default behaviour is to disable legacy format
> unless CONFIG_IMAGE_FORMAT_LEGACY is defined. So this should fix the
> problem.
>
> Note also the -r flag to mkimage which marks a key as 'required to be verified'
>
> Regards,
> Simon
>