Re: [U-Boot] Secure update of uboot devices?
Dear Andreas,
please always keep the mailing list on Cc:
In message CAB+EkH69iuEjcdKUYeX2NDw_v5bDJ6aLBbLPUN7ii7dnnAQmsg@mail.gmail.com you wrote:
Actually what i think I am after is authentication of uboot that have somewhat been discussed before in http://www.mail-archive.com/u-boot-users@lists.sourceforge.net/msg04707.html
But I can't find if it has been done before
I have no information that any such work has been done.
Best regards,
Wolfgang Denk
Actually there seams to exsist some very old patches for this http://lists.denx.de/pipermail/u-boot/2006-September/016960.html
Here a paper quite exact what I am after: http://elinux.org/images/2/28/Trusted_Boot_Loader.pdf
Is there any toughts on integating this in trunk or should I try to merge this patch with the git trunk of my own?
On Friday 06 January 2012 06:24:50 Andreas Bäck wrote:
Actually there seams to exsist some very old patches for this http://lists.denx.de/pipermail/u-boot/2006-September/016960.html
Here a paper quite exact what I am after: http://elinux.org/images/2/28/Trusted_Boot_Loader.pdf
Is there any toughts on integating this in trunk or should I try to merge this patch with the git trunk of my own?
i think you need to outline exactly what it is you're trying to do. "secure update" and "secure boot" is way too vague. for starters, you need to outline the vectors you're trying to protect against. the arm trustzone whitepaper is a pretty good example of things: http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29- GENC-009492C_trustzone_security_whitepaper.pdf
there are many hardware solutions out there for verifying the integrity of u- boot itself before executing it, but they tend to be SoC/arch specific. the trusted boot paper you referred to for example really only makes sense on x86 based platforms.
the patch you referred to however is for verifying the integrity of the kernel image that u-boot boots. it doesn't help with u-boot itself. -mike
Dear =?ISO-8859-1?Q?Andreas_B=E4ck?=,
In message CAB+EkH5g3ybYSLGYtBkATEFVG_WzeSYC3K0SmFOG4436Dr6uXA@mail.gmail.com you wrote:
Actually there seams to exsist some very old patches for this http://lists.denx.de/pipermail/u-boot/2006-September/016960.html
Here a paper quite exact what I am after: http://elinux.org/images/2/28/Trusted_Boot_Loader.pdf
Is there any toughts on integating this in trunk or should I try to merge this patch with the git trunk of my own?
If you read the comments to the old patches you know why that code did not go into mainline then. It would not go into mainline for the same reasons today. This needs a major rework.
The feature itself is certainly interesting, and (cleaned up) patcehs are welcome.
Best regards,
Wolfgang Denk
participants (3)
-
Andreas Bäck -
Mike Frysinger -
Wolfgang Denk