Hi Johann,
On 31 July 2018 at 02:22, Johann Neuhauser jneuhauser@dh-electronics.de wrote:
Dear U-Boot devs,
I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt". That's why I have only implemented signed configurations and no signed images as in doc/uImage.FIT/signed-configs.its. My public key in my embedded fdt has the property required = "conf";
Booting a signed config with "bootm ${loadaddr}#conf@1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on.
If I boot any fit image(signed and unsigned) for example with "bootm ${loadaddr}:kernel@1 - fdt@1" to select the subimages directly, I could boot every image combination without signature verification although a signature is enforced for a configuration.
Is this the expected behavior?
I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot signed configurations and no subimages directly...
I don't think there is any restriction on that at the moment. You are explicitly asking to boot particular images rather than a config. So I suppose it would be odd if U-Boot tried to enforce a config. Are you thinking it should try to find a config that has those images in it? But why not just specify the config to bootm?
Bear in mind also that users don't have access to the U-Boot command line when using verified boot, so they wouldn't be able to type this command.
Regards, Simon