Dear Simon,
In message CAPnjgZ1_Cf-eu592YqF0=th7MT1da6Gh7Pv1Lxaf79kV8Lw9OQ@mail.gmail.com you wrote:
I agree that it might be dangerous to allow legacy boot when signature verification is used. It would be nice to fix that.
I think there is general agreement on this point.
This means that legacy is on by default, unless signature verification is enabled, in which case the default flips. But I worry that it might only confuse people. This seems like a Wolfgang / Tom question :-)
OK, here is my 0.02€ to it:
I think, no matter how we implement it, this should exactly the behaviour. Average users tend to avoid reading documentation, so if they enable signature verification the most likely want a secure system, so we should give them just that. Only if someone really knows what he is doing he should be able to enable support for (insecure) legacy images.
As for the implementation - yes, the #ifdef CONFIG_FIT_SIGNATURE_VERIFICATION approach indeed does not look very nice, but then, it appears to be the straightforward implementation of what we want to do?
Best regards,
Wolfgang Denk