[U-Boot] U-boot FIT Signature
Good morning,
I am working with FIT image in U-Boot 2013.07. I have configured the image verification with signed image and kernel boots fine so, I would like to know if I can store my public key in an external device (like crypto-memory or an i2c device) because I am storing the key in DBT with the CONFIG_OF_CONTROL configuration. The aim of this is that U-Boot should check the i2c address of my external device, read the public key and verify the signed image later. I work with am335x board and Kernel 3.14.
Thanks in advanced,
How would you verify that the public key hasn't been tampered with?
On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda electronica@cojali.com wrote:
Good morning,
I am working with FIT image in U-Boot 2013.07. I have configured the image verification with signed image and kernel boots fine so, I would like to know if I can store my public key in an external device (like crypto-memory or an i2c device) because I am storing the key in DBT with the CONFIG_OF_CONTROL configuration. The aim of this is that U-Boot should check the i2c address of my external device, read the public key and verify the signed image later. I work with am335x board and Kernel 3.14.
Thanks in advanced,
-- María Sepúlveda Paños Engineering Department COJALI, S. L. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Hi,
On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote:
How would you verify that the public key hasn't been tampered with?
On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda electronica@cojali.com wrote:
Good morning,
I am working with FIT image in U-Boot 2013.07. I have configured the image verification with signed image and kernel boots fine so, I would like to know if I can store my public key in an external device (like crypto-memory or an i2c device) because I am storing the key in DBT with the CONFIG_OF_CONTROL configuration.
Imho is perfectly fine to store the public key in the u-boot.dtb for most needs(specially for using it with fit-images). Do you have a specific reason for wanting to store it elsewhere?
The aim of this is that U-Boot should check the i2c address of my external device, read the public key and verify the signed image later. I work with am335x board and Kernel 3.14.
As Rick suggests you should verify your public key with a checksum which is somehow protected from being tampered. In the most cases there is some OTP- Fuse-Register that can do the job.
best regards
Markus
participants (3)
-
Maria Sepulveda -
Markus Valentin -
Rick Altherr