Securing u-boot: allow only authentic images
Hi there,
I'm new to u-boot and in need for a little assistance, I hope someone can point me in the right direction.
I need to secure the bootloader of a device to some extend. The device is currently using u-boot as bootloader and I would like to stick with that.
The device runs an OpenWRT. The SoC is a HLK7628N.
At this moment, it is possible to use the u-boot bootloader to replace the image of the device with any other image. I would like to have u-boot to allow only authentic (signed?) images. What is the best way to accomplish this? Any pointers, examples and so on will be much appreciated.
Thanks!
Hi,
On Tue, 25 Jul 2023 at 09:40, Martin van den Berg martinvdberg@gmail.com wrote:
Hi there,
I'm new to u-boot and in need for a little assistance, I hope someone can point me in the right direction.
I need to secure the bootloader of a device to some extend. The device is currently using u-boot as bootloader and I would like to stick with that.
The device runs an OpenWRT. The SoC is a HLK7628N.
At this moment, it is possible to use the u-boot bootloader to replace the image of the device with any other image. I would like to have u-boot to allow only authentic (signed?) images. What is the best way to accomplish this? Any pointers, examples and so on will be much appreciated.
https://u-boot.readthedocs.io/en/latest/usage/fit/signature.html
You can also find various talks on this topic, some linked from https://u-boot.readthedocs.io/en/latest/learn/index.html
If you find any others that are interesting, please do add them to elinux.org
Regards, Simon
participants (2)
-
Martin van den Berg -
Simon Glass