From: Maxime Ripard <maxime.ripard@free-electrons.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64
Date: Thu, 14 Dec 2017 10:07:40 +0100 [thread overview]
Message-ID: <20171214090740.3ul4qbxwmno4wnse@flea.lan> (raw)
In-Reply-To: <CAD6G_RQaJV0=v0e4m7EZReDROPRgcopMtdA-Lm1OTSVW+sxicA@mail.gmail.com>
On Wed, Dec 13, 2017 at 09:41:35PM +0530, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard
> <maxime.ripard@free-electrons.com> wrote:
> > Hi,
> >
> > On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
> >> Add verified-boot documentation for sunxi a64 platform.
> >>
> >> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> >> ---
> >> Changes for v3:
> >> - Create separate document file
> >> Changes for v2:
> >> - New patch
> >>
> >> doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >> 1 file changed, 193 insertions(+)
> >> create mode 100644 doc/README.sunxi
> >>
> >> diff --git a/doc/README.sunxi b/doc/README.sunxi
> >> new file mode 100644
> >> index 0000000..ef4f735
> >> --- /dev/null
> >> +++ b/doc/README.sunxi
> >> @@ -0,0 +1,193 @@
> >> +#
> >> +# Copyright (C) 2017 Amarula Solutions
> >> +#
> >> +# SPDX-License-Identifier: GPL-2.0+
> >> +#
> >> +
> >> +U-Boot on SunXi
> >> +==============
> >> +
> >> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
> >> +
> >> + 1. Verified Boot
> >> +
> >> +1. Verified Boot
> >> +================
> >> +
> >> +U-Boot supports an image verification method called "Verified Boot".
> >> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> >> +You will find details documents in the doc/uImage.FIT directory.
> >> +
> >> +Here, we take Orangepi Win board for example, but it should work for any
> >> +other boards including 32 bit SoCs.
> >> +
> >> +1. Generate RSA key to sign
> >> +
> >> + $ mkdir keys
> >> + $ openssl genpkey -algorithm RSA -out keys/dev.key \
> >> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> >> +
> >> +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
> >> +but need to match to the "key-name-hint" property described below.
> >
> > I really think that the very first thing you must talk about in that
> > documentation is that it will not protect the SPL itself and that this
> > is not a secure setup.
>
> Based on my experience with U-boot, verified-boot here doesn't relate
> to protect SPL or U-Boot. it's generally for kernel and followed
> stages. I don't think we can think here too-much. some reference
> doc/README.uniphier
Except that when you read verified boot, it also comes with the
assumption that you're actually protected against something.
In this particular case, you're protected against exactly
nothing. Anyone could come up, replace the bootloader to remove the
signature check, and you're doomed. It's trivial to do, and you're not
mentionning it anywhere.
Maxime
--
Maxime Ripard, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171214/6e4e269c/attachment.sig>
next prev parent reply other threads:[~2017-12-14 9:07 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-13 6:03 [U-Boot] [PATCH v3 1/5] sunxi: a64: Enable FIT Signature Jagan Teki
2017-12-13 6:03 ` [U-Boot] [PATCH v3 2/5] sunxi: arm64: Increase CONFIG_SYS_BOOTM_LEN to 32MB Jagan Teki
2017-12-13 15:34 ` Maxime Ripard
2017-12-13 6:03 ` [U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64 Jagan Teki
2017-12-13 15:38 ` Maxime Ripard
2017-12-13 16:11 ` Jagan Teki
2017-12-14 9:07 ` Maxime Ripard [this message]
2017-12-13 15:59 ` Quentin Schulz
2017-12-13 16:16 ` Jagan Teki
2017-12-13 16:25 ` Andre Przywara
2017-12-13 16:35 ` Jagan Teki
2017-12-13 16:47 ` Andre Przywara
2017-12-14 1:28 ` Tom Rini
2017-12-13 6:03 ` [U-Boot] [PATCH v3 4/5] docs: README.sunxi: Move sunxi64 documentation Jagan Teki
2017-12-13 15:38 ` Maxime Ripard
2017-12-13 16:21 ` Jagan Teki
2017-12-13 16:12 ` Andre Przywara
2017-12-14 1:30 ` Tom Rini
2017-12-13 6:03 ` [U-Boot] [PATCH v3 5/5] docs: README.sunxi: Move nand documentation Jagan Teki
2017-12-13 15:39 ` [U-Boot] [PATCH v3 1/5] sunxi: a64: Enable FIT Signature Maxime Ripard
2017-12-13 16:08 ` [U-Boot] [linux-sunxi] " Peter Korsgaard
2017-12-14 8:16 ` Jagan Teki
2017-12-14 8:51 ` Peter Korsgaard
2017-12-14 8:33 ` [U-Boot] " Jagan Teki
2017-12-15 13:41 ` Maxime Ripard
2017-12-15 14:36 ` Andre Przywara
2017-12-15 15:05 ` Jagan Teki
2017-12-15 15:31 ` Andre Przywara
2017-12-15 15:02 ` Jagan Teki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171214090740.3ul4qbxwmno4wnse@flea.lan \
--to=maxime.ripard@free-electrons.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.