From mboxrd@z Thu Jan 1 00:00:00 1970 From: REITHER Robert - Contractor Date: Wed, 16 Sep 2020 15:31:18 +0000 Subject: U-Boot FIT Signature Verification Message-ID: <82a6e596a6fe4311918d4f91937460b5@external.thalesgroup.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi there I don't think it would make sense to check for expiration (even in case we would have full certificates like PKCS#7 verifiy) At our point of the boot process we normally do not have access to a trusted time/date, so any check could be simply spoofed or even worse fails, because wall clock is not initialized properly. I think even the EFI boot-process (or shim) does not check expiration date of their certificates! What could make sense is a check for an expired certificate/key at signing time (including intermed certs), but not sure if this would be a too hard restriction (at least for developing/testing). I think a hint for the signer should be enough! Regards Robert On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote: > On 9/11/20 7:26 PM, Andrii Voloshyn wrote: > > Hi there, > > > > Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file? > > > > Cheers, > > Andy > > > > Hello Philippe, > > looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot > find a comparison of the date on which an image was signed with the > expiry date of the certificate. Shouldn't there be a check? Or did I > simply look into the wrong function? I think Simon is the right person to answer this question, but as far as I know, we don't have any device tree property for the expiration date of a public key. See doc/uImage.FIT/signature.txt. -Takahiro Akashi > Best regards > > Heinrich