[U-Boot] booting signed Images
Hello Simon,
just talked with Wolfgang about the booting process from signed images, as it is described in:
doc/uImage.FIT/verified-boot.txt doc/uImage.FIT/signature.txt
If we see it correct, then it is still possible to boot an uImage or a FIT image without signature with "bootm" when CONFIG_FIT_SIGNATURE is defined.
The question raised, if this is a good behaviour.
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
Thanks in advance
bye, Heiko
HI Heiko,
On 5 May 2014 01:35, Heiko Schocher hs@denx.de wrote:
Hello Simon,
just talked with Wolfgang about the booting process from signed images, as it is described in:
doc/uImage.FIT/verified-boot.txt doc/uImage.FIT/signature.txt
If we see it correct, then it is still possible to boot an uImage or a FIT image without signature with "bootm" when CONFIG_FIT_SIGNATURE is defined.
The question raised, if this is a good behaviour.
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
Regards, Simon
Dear Simon,
In message CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com you wrote:
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
Best regards,
Wolfgang Denk
Hi Wolfgang,
On 5 May 2014 11:55, Wolfgang Denk wd@denx.de wrote:
Dear Simon,
In message CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com you wrote:
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
Regards, Simon
Dear Simon,
In message CAPnjgZ3OKQ8UZMOrQ7m7zWDWsFa2yZqCT2F69sKwgjDymOzePw@mail.gmail.com you wrote:
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
This makes sense to me. Thanks!
Best regards,
Wolfgang Denk
Hello Simon,
Am 05.05.2014 20:31, schrieb Simon Glass:
Hi Wolfgang,
On 5 May 2014 11:55, Wolfgang Denkwd@denx.de wrote:
Dear Simon,
In messageCAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com you wrote:
Should we not prevent booting uImages or not signed FIT Images when CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it?
I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete.
bye, Heiko
Hi Heiko,
On 7 May 2014 01:06, Heiko Schocher hs@denx.de wrote:
Hello Simon,
Am 05.05.2014 20:31, schrieb Simon Glass:
Hi Wolfgang,
On 5 May 2014 11:55, Wolfgang Denkwd@denx.de wrote:
Dear Simon,
In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm 98LF96PLfu-g@mail.gmail.com> you wrote:
Should we not prevent booting uImages or not signed FIT Images when
CONFIG_FIT_SIGNATURE is defined? Or at least prevent booting such unsigned images through an U-Boot env variable.
What Do you think?
There is a 'required' property in the public keys which is intended to support this. If you mark a key as 'required then it will need to be verified by any image that is loaded. There is a test for this case, but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop booting one of those?
That's right, there is nothing to stop that at present. The verification happens either on each image (for per-image signing) or on the selected configuration as a whole (in fit_image_load() when it sees the kernel being loaded).
One simple solution might be to check a CONFIG option in boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
The question is here, do we introduce a new config option for this, or do we use for example CONFIG_FIT_SIGNATURE to disable it?
I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY complete.
I suggest a new CONFIG option, like CONFIG_DISABLE_IMAGE_FORMAT_LEGACY or possible a device tree option, since if you force disable of the legacy format you are actually removing functionality. At present CONFIG_FIT_SIGNATURE is a capability, and one capability should not normally preclude another.
Regards, Simon
participants (3)
-
Heiko Schocher -
Simon Glass -
Wolfgang Denk