Hello developers,

I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt". That's why, as in doc/uImage.FIT/signed-configs.its, I have only implemented signed configurations and no signed images. My public key in my embedded fdt has the property required = "conf";.

Booting a signed config with "bootm ${loadaddr}#conf@1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on. If I boot any fit image(signed and unsigned) with "bootm ${loadaddr}:kernel@1 - fdt@1" to select the subimages directly, I could boot every image combination without signature verification.

Is this the expected behavior?

I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot configurations and no subimages directly...

Regards Johann Neuhauser