Hi there

I don't think it would make sense to check for expiration (even in case we would have full certificates like PKCS#7 verifiy)

At our point of the boot process we normally do not have access to a trusted time/date, so any check could be simply spoofed or even worse fails, because wall clock is not initialized properly.

I think even the EFI boot-process (or shim) does not check expiration date of their certificates!

What could make sense is a check for an expired certificate/key at signing time (including intermed certs), but not sure if this would be a too hard restriction (at least for developing/testing). I think a hint for the signer should be enough!

Regards

Robert

On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote:

On 9/11/20 7:26 PM, Andrii Voloshyn wrote:

...

Hi there,

...

...

Does U-boot take into account certificate expiration date when verifying signed images in FIT? In other words, is date stored along with the public key in DTB file?

...

...

Cheers,

...

Andy

...

Hello Philippe,

looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot

find a comparison of the date on which an image was signed with the

expiry date of the certificate. Shouldn't there be a check? Or did I

simply look into the wrong function?

I think Simon is the right person to answer this question, but

as far as I know, we don't have any device tree property for the expiration date of a public key. See doc/uImage.FIT/signature.txt.

-Takahiro Akashi

Best regards

Heinrich