Re: [U-Boot] Secure update of uboot devices?

30 Dec 2011


      Dear Andreas,
In message CAB+EkH4j-UoUyHb=XgDbGRncX=Oq6+3+MNjWStiuojoOYUcMPw@mail.gmail.com you wrote:
...
sha1sum sum is yes enough to verify that no files have been modified on the
file system on the already installed Linux device.
It is also good enough to ensure that the files on any distribution
media have not been corrupted or modified in some way.  Of course it
dies not protect against intentional modifications.
...
But my case here is if one need to update the software on the device out
somewhere in the world we have now made a usb stick and uboot looks for
special files first on the usb stick before it continues normal boot. How
can one ensure that the software on the usb stick is not altered on the way
to include some additional unwanted features?
You cannot.  Actually you would have to insure first that the U-Boot
running on that system has not been tampered with.  If I were to
attack such a system, I'd probably first install (or otherwise run) a
version of U-boot that has any such security checks disabled or
removed.
Best regards,
Wolfgang Denk
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd@denx.de
There is, however, a strange, musty smell in the air that reminds  me
of something...hmm...yes...I've got it...there's a VMS nearby, or I'm
a Blit.          - Larry Wall in Configure from the perl distribution