On Fri, 30 Dec 2011 13:37:47 +0100 Wolfgang Denk wd@denx.de wrote:
Dear Andreas,
In message CAB+EkH4j-UoUyHb=XgDbGRncX=Oq6+3+MNjWStiuojoOYUcMPw@mail.gmail.com you wrote:
sha1sum sum is yes enough to verify that no files have been modified on the file system on the already installed Linux device.
It is also good enough to ensure that the files on any distribution media have not been corrupted or modified in some way. Of course it dies not protect against intentional modifications.
But my case here is if one need to update the software on the device out somewhere in the world we have now made a usb stick and uboot looks for special files first on the usb stick before it continues normal boot. How can one ensure that the software on the usb stick is not altered on the way to include some additional unwanted features?
You cannot. Actually you would have to insure first that the U-Boot running on that system has not been tampered with. If I were to attack such a system, I'd probably first install (or otherwise run) a version of U-boot that has any such security checks disabled or removed.
That depends on your hardware. SoCs with Freescale SEC v4+ h/w can enable a trusted boot mode after writing a private key to special-purpose on-chip key memory and subsequently blowing a fuse. The trusted boot mode ensures a continuous root of trust by booting an initial (u-)bootloader from on-chip firmware that verifies the authenticity of the u-boot image it loads before executing it. The initial bootloader is written in a similar fashion to the private key of the chip, and similarly can never be overwritten. Subsequent loads, e.g., u-boot->kernel, kernel->app, are free to inherit that same root of trust.
The Freescale BSP version of u-boot includes some of Freescale's secure boot work [1], but since then it's been modified to use the dedicated crypto unit to do the crypto and therefore boot much faster. Ideally u-boot would be modified to use either s/w or h/w crypto, but unfortunately I haven't had the time to look into it.
Kim
[1] I don't know where to find the latest that uses the h/w to do the crypto right now, but there's some s/w crypto based code available here:
http://git.freescale.com/git/cgit.cgi/ppc/sdk/u-boot.git/log/