Teddy, All,
On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed teddy.reed@gmail.com wrote:
Hi all, question, is anyone using the U-Boot verified-boot in production?
I have been digging into this lately as well, and actually noticed a few other things on top of what you are seeing, mentioned below. I don't want to derail this email thread too much, but there is another patch working on signature-key fallback sequencing as well (which claims to be supported).
No worries, any/all attention on the verified-boot implementation is great!
I agree, its a pretty handy feature.
I am using configuration verification for several OpenCompute/OpenBMC boards. After a deep-dive review I found some edge cases that in rare circumstances could lead to a signature check bypass.
Slightly related: if you use two fit images to boot it seems that the second will never be verified. Once the first is deemed OK it just lets the boot happen.
Good find, this sounds like a limitation of the signature checking. But this can be dangerous if you expected the secondary FIT to be checked. I hope no one is using this scenario for production boards.
Curious if your planned patch is also addressing this limitation?
The patch I have out right now only focuses on the fallback mechanism mentioned earlier, I wasn't able to go into the details on this one as it may have fallen out of our scope. I will likely drop an RFC at some point to try to get the conversation moving, however.
Thanks,
Sam