Hi Heiko,
On 7 May 2014 01:06, Heiko Schocher hs@denx.de wrote:
Hello Simon,
Am 05.05.2014 20:31, schrieb Simon Glass:
Hi Wolfgang,
On 5 May 2014 11:55, Wolfgang Denkwd@denx.de wrote:
Dear Simon,
In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm 98LF96PLfu-g@mail.gmail.com> you wrote:
Should we not prevent booting uImages or not signed FIT Images when
CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it?
I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete.
I suggest a new CONFIG option, like CONFIG_DISABLE_IMAGE_FORMAT_LEGACY or possible a device tree option, since if you force disable of the legacy format you are actually removing functionality. At present CONFIG_FIT_SIGNATURE is a capability, and one capability should not normally preclude another.
Regards, Simon