Am Mi., 21. Nov. 2018, 15:27 hat Wolfgang Denk wd@denx.de geschrieben:
Dear Stefano,
In message 7089ef62-ed0f-87f4-e979-8c18a6ae4b62@denx.de you wrote:
Right, when we sign (and check the signatures) of all other images, then why not do the very same for some environment image?
The weird thing is with "saveenv" - if we just read the env, it is fine, but if we want to change it, we need to sign, and this requires a private key on target.
Agreed, but this is a totaly different issue.
The separate (potentially singed0 environment image is only the replacement for the current "default environment", which is not used for "env save". In the same way, there is no need to modfy the signed image.
But yes, it might be desirable to protect the working environment against malicious manipulation - but this should be discussed in a separate thread.
That would even be _better_ as currently there is no, absolutely no check if the builtin default environment is in any way consistent.
This is not true. If the environment is linked to u-boot, it is signed together with u-boot and its consistency is automatically verified.
Only if you use signed images. With plain U-Boot, there is not even a checksum for it...
When SPL loads U-Boot from a legacy image, isn't there a CRC involved over the full image including the environment?
Simon