I am looking at enabling verified boot in the v2019.04-rc4 tag of u-boot. I was pleased when I learned how to embed the public authentication key in my u-boot device tree, sign my kernel using my private authentication key, and see u-boot validate the signature on boot.
But then I was very surprised to learn that I could still boot an unsigned image. So I started looking at the code and I found `fit_image_verify_with_data() in "common/image_fit.c", which does:
if (IMAGE_ENABLE_VERIFY && fit_image_verify_required_sigs(fit, image_noffset, data, size, gd_fdt_blob(), &verify_all)) { err_msg = "Unable to verify required signature"; goto error; }
/* Process all hash subnodes of the component image node */ fdt_for_each_subnode(noffset, fit, image_noffset) { const char *name = fit_get_name(fit, noffset, NULL);
/* * Check subnode name, must be equal to "hash". * Multiple hash nodes require unique unit node * names, e.g. hash-1, hash-2, etc. */ if (!strncmp(name, FIT_HASH_NODENAME, strlen(FIT_HASH_NODENAME))) { if (fit_image_check_hash(fit, noffset, data, size, &err_msg)) goto error; puts("+ "); } else if (IMAGE_ENABLE_VERIFY && verify_all && !strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, size, -1, &err_msg);
/* * Show an indication on failure, but do not return * an error. Only keys marked 'required' can cause * an image validation failure. See the call to * fit_image_verify_required_sigs() above. */ if (ret) puts("- "); else puts("+ "); } }
I see that if I create a "required" property in my signature block, then u-boot will require that the signature match. But if I don't have that, then it will happily boot an unsigned image (or even one that doesn't have any signature blocks).
Am I missing something here?
Has this been improved/addressed since v2019.04-rc4?
If the answers are "No" and "No", then I will go in and address it myself. I welcome any tips folks might care to give me in advance of me just submitting a patch to address this.
--wpd