[U-Boot] [U-boot] mkimage -F parameter
Hi, experts:
It seems mkimage has supported signing a image.
So, I have a question about signed linux kernel image:
1. if kernel image is signed by mkimage tool.
Could uboot verify this signed linux kernel image bf jumping to its entry point function?
2. if uboot could verify the signed linux kernel image
how to management these different vendors' public keys in uboot code? Using env variable?
Best wishes,
Dear TigerLiu@viatech.com.cn,
In message FE7ADED5C2218B4786C09CD97DC4C49F74C5A4@exchbj02.viatech.com.bj you wrote:
It seems mkimage has supported signing a image.
Does it?
The mainline code does not know any '-F' option...
Best regards,
Wolfgang Denk
Dear Denk: Here is the web page that describing -F / -K parameter for mkimage: http://patchwork.ozlabs.org/patch/209634/ http://patchwork.ozlabs.org/patch/209610/
so, will these patches be merged into mainline code?
Best wishes,
-----邮件原件----- 发件人: u-boot-bounces@lists.denx.de [mailto:u-boot-bounces@lists.denx.de] 代表 Wolfgang Denk 发送时间: 2013年1月31日 21:55 收件人: Tiger Liu 抄送: u-boot@lists.denx.de 主题: Re: [U-Boot] [U-boot] mkimage -F parameter
Dear TigerLiu@viatech.com.cn,
In message FE7ADED5C2218B4786C09CD97DC4C49F74C5A4@exchbj02.viatech.com.bj you wrote:
It seems mkimage has supported signing a image.
Does it?
The mainline code does not know any '-F' option...
Best regards,
Wolfgang Denk
Hi Tiger,
On Thu, Jan 31, 2013 at 3:36 AM, TigerLiu@viatech.com.cn wrote:
Hi, experts:
It seems mkimage has supported signing a image.
This code is not yet merged, as you have discovered.
So, I have a question about signed linux kernel image:
if kernel image is signed by mkimage tool.Could uboot verify this signed linux kernel image bf jumping to its entry point function?
Yes the bootm command will do this automatically.
if uboot could verify the signed linux kernel imagehow to management these different vendors' public keys in uboot code? Using env variable?
The keys are not easily kept in an environment variable as we have several bits of information.
In the current implementation the device tree is used, so you need to enable CONFIG_OF_CONTROL. Then mkimage will put the public keys in the FDT, and you attach that to U-Boot.
Multiple keys are supported and it is possible to sign the same image with several different keys. Keys can be marked 'required' so that they must verify.
What platform/board are you using?
Regards, Simon
Best wishes,
U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Hi, Simon: Thanks for your answer! I have a PandaBoard (OMAP 4460). I am studying Uboot code.
If uboot integrates this verifying kernel function, then it would have a security feature.(seams as UEFI firmware supported)
Best wishes,
-----邮件原件----- 发件人: sjg@google.com [mailto:sjg@google.com] 代表 Simon Glass 发送时间: 2013年2月1日 22:25 收件人: Tiger Liu 抄送: u-boot@lists.denx.de 主题: Re: [U-Boot] [U-boot] mkimage -F parameter
Hi Tiger,
On Thu, Jan 31, 2013 at 3:36 AM, TigerLiu@viatech.com.cn wrote:
Hi, experts:
It seems mkimage has supported signing a image.
This code is not yet merged, as you have discovered.
So, I have a question about signed linux kernel image:
if kernel image is signed by mkimage tool.Could uboot verify this signed linux kernel image bf jumping to its entry point function?
Yes the bootm command will do this automatically.
if uboot could verify the signed linux kernel imagehow to management these different vendors' public keys in uboot code? Using env variable?
The keys are not easily kept in an environment variable as we have several bits of information.
In the current implementation the device tree is used, so you need to enable CONFIG_OF_CONTROL. Then mkimage will put the public keys in the FDT, and you attach that to U-Boot.
Multiple keys are supported and it is possible to sign the same image with several different keys. Keys can be marked 'required' so that they must verify.
What platform/board are you using?
Regards, Simon
Best wishes,
U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Hi Tiger,
On Sun, Feb 3, 2013 at 5:52 PM, TigerLiu@viatech.com.cn wrote:
Hi, Simon: Thanks for your answer! I have a PandaBoard (OMAP 4460). I am studying Uboot code.
If uboot integrates this verifying kernel function, then it would have a security feature.(seams as UEFI firmware supported)
Yes. It can be used to verify a kernel, and also to verify a second-stage firmware (if upgradable firmware is required and you want to always avoid bricking the device). It can verify any image that can be put in a FIT, and any combination of images that can be put in a FIT configuration.
Regards, Simon
Best wishes,
-----邮件原件----- 发件人: sjg@google.com [mailto:sjg@google.com] 代表 Simon Glass 发送时间: 2013年2月1日 22:25 收件人: Tiger Liu 抄送: u-boot@lists.denx.de 主题: Re: [U-Boot] [U-boot] mkimage -F parameter
Hi Tiger,
On Thu, Jan 31, 2013 at 3:36 AM, TigerLiu@viatech.com.cn wrote:
Hi, experts:
It seems mkimage has supported signing a image.
This code is not yet merged, as you have discovered.
So, I have a question about signed linux kernel image:
if kernel image is signed by mkimage tool.Could uboot verify this signed linux kernel image bf jumping to its entry point function?
Yes the bootm command will do this automatically.
if uboot could verify the signed linux kernel imagehow to management these different vendors' public keys in uboot code? Using env variable?
The keys are not easily kept in an environment variable as we have several bits of information.
In the current implementation the device tree is used, so you need to enable CONFIG_OF_CONTROL. Then mkimage will put the public keys in the FDT, and you attach that to U-Boot.
Multiple keys are supported and it is possible to sign the same image with several different keys. Keys can be marked 'required' so that they must verify.
What platform/board are you using?
Regards, Simon
Best wishes,
U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
participants (3)
-
Simon Glass -
TigerLiu@viatech.com.cn -
Wolfgang Denk