[U-Boot] Authenticated boot

[U-Boot] Authenticated boot

[Kees-Jan Hermans]

Hello,



The last reference I could find about it, is an email from dec.17 2012, but I'd like to re-ignite the discussion. Also, I'm new here - forgive me if I'm asking stupid questions.



I'd like to implement a form of authenticated boot into u-boot. That is, I need it myself for a device that I'm making, and I'll gladly use anything if it is already available, but I don't think it is. For my solution, I'm assuming the existence (somewhere) to U-boot of the following three files/buffers:



- A boot-image (a RAM disk)

- A public key (type RSA in some format, perhaps more simple than x509 pem to keep additional source code small)

- A signature



and a function, based on those three files (I suppose that - although difficult - the signature can be part of the boot-image, while the public key may have to be in a boot-flash partition), that tells U-boot whether booting the image is Ok or not (and not booting when it's not Ok).



I propose to do this, not using hardware encryption (which might not always be available and, in my case, I'm not even allowed to use) or openssl (which is a monster), but (parts of - which is, unlike openssl, quite easy) polarssl for the crypto.



That is, of course, unless this feature already exists, which I would very much like to hear. Thanks for your time,



KJ

[U-Boot] Authenticated boot

[Romain Izard]

On 2013-08-21, Kees-Jan Hermans <hermans@fox-it.com> wrote:
>
> That is, of course, unless this feature already exists, which I would
> very much like to hear. Thanks for your time,
>
You're in luck.  The feature was merged for the v2013.07 U-Boot release,
with a standalone RSA signature verification algorithm. Its
documentation is available in the file doc/uImage.FIT/signature.txt

Best regards,
-- 
Romain Izard