Dear Simon,
In message CAPnjgZ3OKQ8UZMOrQ7m7zWDWsFa2yZqCT2F69sKwgjDymOzePw@mail.gmail.com you wrote:
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
This makes sense to me. Thanks!
Best regards,
Wolfgang Denk