HI Heiko,
On 5 May 2014 01:35, Heiko Schocher hs@denx.de wrote:
Hello Simon,
just talked with Wolfgang about the booting process from signed images, as it is described in:
doc/uImage.FIT/verified-boot.txt doc/uImage.FIT/signature.txt
If we see it correct, then it is still possible to boot an uImage or a FIT image without signature with "bootm" when CONFIG_FIT_SIGNATURE is defined.
The question raised, if this is a good behaviour.
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
Regards, Simon