Re: [U-Boot] [swupdate] Re: SWUpdate - U-Boot environment library dependency

On 21/11/18 15:37, Simon Goldschmidt wrote:

Am Mi., 21. Nov. 2018, 15:27 hat Wolfgang Denk <wd@denx.de mailto:wd@denx.de> geschrieben:

Dear Stefano,

In message <7089ef62-ed0f-87f4-e979-8c18a6ae4b62@denx.de
<mailto:7089ef62-ed0f-87f4-e979-8c18a6ae4b62@denx.de>> you wrote:
>
> > Right, when we sign (and check the signatures) of all other images,
> > then why not do the very same for some environment image?
>
> The weird thing is with "saveenv" - if we just read the env, it is
fine,
> but if we want to change it, we need to sign, and this requires a
> private key on target.

Agreed, but this is a totaly different issue.

The separate (potentially singed0 environment image is only the
replacement for the current "default environment", which is not
used for "env save".  In the same way, there is no need to modfy the
signed image.

But yes, it might be desirable to protect the working environment
against malicious manipulation - but this should be discussed in a
separate thread.

> > That would even be _better_ as currently there is no, absolutely no
> > check if the builtin default environment is in any way consistent.
>
> This is not true. If the environment is linked to u-boot, it is signed
> together with u-boot and its consistency is automatically verified.

Only if you use signed images.  With plain U-Boot, there is not even
a checksum for it...

When SPL loads U-Boot from a legacy image, isn't there a CRC involved over the full image including the environment?

I think Marek is talking about raw u-boot, not in case mkimage has put an header at the beginning. See CONFIG_SPL_RAW_IMAGE_SUPPORT and spl_parse_image_header(). The image is simply loaded without checks.

Best regards, Stefano