Hi Andrew,
I am curious about the usage scenario. Is the runtime control required for production release? As this control acts like a backdoor to bypass the chain-of-trust. If it is for debugging/development purposes, should we encourage the use of unsigned images under RD environments? Beyond this, I have no concern as the patch provides more flexibility.
From: Andrew Jeffery andrew@aj.id.au Sent: Monday, January 31, 2022 11:42 AM
Some platform designs include support for disabling secure-boot via a jumper on the board. Sometimes this control can be separate from the mechanism enabling the root-of-trust for the platform. Add support for this latter scenario by allowing boards to implement board_fit_image_require_verfied(), which is then invoked in the usual FIT verification paths.
Signed-off-by: Andrew Jeffery andrew@aj.id.au
Hi,
This patch is extracted from and motivated by a series adding run-time control of FIT signature verification to u-boot in OpenBMC:
https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking upstream and contains a bunch of out-of-tree work as well. As such I'm looking to upstream the couple of changes that make sense against master.
Please take a look!
Andrew
boot/Kconfig | 8 ++++++++ boot/image-fit.c | 21 +++++++++++++++++---- include/image.h | 9 +++++++++ 3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a 100644 --- a/boot/Kconfig +++ b/boot/Kconfig @@ -78,6 +78,14 @@ config FIT_SIGNATURE format support in this case, enable it using CONFIG_LEGACY_IMAGE_FORMAT.
+if FIT_SIGNATURE +config FIT_RUNTIME_SIGNATURE
- bool "Control verification of FIT uImages at runtime"
- help
This option allows board support to disable verification ofsignatures at runtime, for example through the state of a GPIO.+endif # FIT_SIGNATURE
Using "depends on" might be preferred for Kconfig dependency.
Regards, Chiawei