* [U-Boot] Verified boot of images without signatures
@ 2019-06-12 14:54 Patrick Doyle
2019-06-12 18:10 ` Alex Kiernan
0 siblings, 1 reply; 4+ messages in thread
From: Patrick Doyle @ 2019-06-12 14:54 UTC (permalink / raw)
To: u-boot
I am looking at enabling verified boot in the v2019.04-rc4 tag of
u-boot. I was pleased when I learned how to embed the public
authentication key in my u-boot device tree, sign my kernel using my
private authentication key, and see u-boot validate the signature on
boot.
But then I was very surprised to learn that I could still boot an
unsigned image. So I started looking at the code and I found
`fit_image_verify_with_data() in "common/image_fit.c", which does:
if (IMAGE_ENABLE_VERIFY &&
fit_image_verify_required_sigs(fit, image_noffset, data, size,
gd_fdt_blob(), &verify_all)) {
err_msg = "Unable to verify required signature";
goto error;
}
/* Process all hash subnodes of the component image node */
fdt_for_each_subnode(noffset, fit, image_noffset) {
const char *name = fit_get_name(fit, noffset, NULL);
/*
* Check subnode name, must be equal to "hash".
* Multiple hash nodes require unique unit node
* names, e.g. hash-1, hash-2, etc.
*/
if (!strncmp(name, FIT_HASH_NODENAME,
strlen(FIT_HASH_NODENAME))) {
if (fit_image_check_hash(fit, noffset, data, size,
&err_msg))
goto error;
puts("+ ");
} else if (IMAGE_ENABLE_VERIFY && verify_all &&
!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_check_sig(fit, noffset, data,
size, -1, &err_msg);
/*
* Show an indication on failure, but do not return
* an error. Only keys marked 'required' can cause
* an image validation failure. See the call to
* fit_image_verify_required_sigs() above.
*/
if (ret)
puts("- ");
else
puts("+ ");
}
}
I see that if I create a "required" property in my signature block,
then u-boot will require that the signature match. But if I don't
have that, then it will happily boot an unsigned image (or even one
that doesn't have any signature blocks).
Am I missing something here?
Has this been improved/addressed since v2019.04-rc4?
If the answers are "No" and "No", then I will go in and address it
myself. I welcome any tips folks might care to give me in advance of
me just submitting a patch to address this.
--wpd
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot of images without signatures
2019-06-12 14:54 [U-Boot] Verified boot of images without signatures Patrick Doyle
@ 2019-06-12 18:10 ` Alex Kiernan
2019-06-12 20:27 ` Patrick Doyle
0 siblings, 1 reply; 4+ messages in thread
From: Alex Kiernan @ 2019-06-12 18:10 UTC (permalink / raw)
To: u-boot
On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster@gmail.com> wrote:
>
> I am looking at enabling verified boot in the v2019.04-rc4 tag of
> u-boot. I was pleased when I learned how to embed the public
> authentication key in my u-boot device tree, sign my kernel using my
> private authentication key, and see u-boot validate the signature on
> boot.
>
> But then I was very surprised to learn that I could still boot an
> unsigned image. So I started looking at the code and I found
> `fit_image_verify_with_data() in "common/image_fit.c", which does:
>
> if (IMAGE_ENABLE_VERIFY &&
> fit_image_verify_required_sigs(fit, image_noffset, data, size,
> gd_fdt_blob(), &verify_all)) {
> err_msg = "Unable to verify required signature";
> goto error;
> }
>
> /* Process all hash subnodes of the component image node */
> fdt_for_each_subnode(noffset, fit, image_noffset) {
> const char *name = fit_get_name(fit, noffset, NULL);
>
> /*
> * Check subnode name, must be equal to "hash".
> * Multiple hash nodes require unique unit node
> * names, e.g. hash-1, hash-2, etc.
> */
> if (!strncmp(name, FIT_HASH_NODENAME,
> strlen(FIT_HASH_NODENAME))) {
> if (fit_image_check_hash(fit, noffset, data, size,
> &err_msg))
> goto error;
> puts("+ ");
> } else if (IMAGE_ENABLE_VERIFY && verify_all &&
> !strncmp(name, FIT_SIG_NODENAME,
> strlen(FIT_SIG_NODENAME))) {
> ret = fit_image_check_sig(fit, noffset, data,
> size, -1, &err_msg);
>
> /*
> * Show an indication on failure, but do not return
> * an error. Only keys marked 'required' can cause
> * an image validation failure. See the call to
> * fit_image_verify_required_sigs() above.
> */
> if (ret)
> puts("- ");
> else
> puts("+ ");
> }
> }
>
> I see that if I create a "required" property in my signature block,
> then u-boot will require that the signature match. But if I don't
> have that, then it will happily boot an unsigned image (or even one
> that doesn't have any signature blocks).
>
> Am I missing something here?
>
Probably... I went round a very similar loop too. You need the
required property in the U-Boot DTB, not in the image you're booting.
And if you're trying to do this for SPL loading U-Boot you need
CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
image support.
--
Alex Kiernan
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot of images without signatures
2019-06-12 18:10 ` Alex Kiernan
@ 2019-06-12 20:27 ` Patrick Doyle
2019-08-13 9:35 ` Simon Glass
0 siblings, 1 reply; 4+ messages in thread
From: Patrick Doyle @ 2019-06-12 20:27 UTC (permalink / raw)
To: u-boot
On Wed, Jun 12, 2019 at 2:10 PM Alex Kiernan <alex.kiernan@gmail.com> wrote:
> On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster@gmail.com> wrote:
> > Am I missing something here?
> >
>
> Probably... I went round a very similar loop too. You need the
> required property in the U-Boot DTB, not in the image you're booting.
> And if you're trying to do this for SPL loading U-Boot you need
> CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
> image support.
Hi Alex,
You nailed it. I didn't understand that the "required" property
belonged to the u-boot dtb, not the fitImage. Now that I understand
that, I see where that is described in signature.txt. I'm great at
understanding documentation once I know what the documentation says
:-)
Thanks for the help.
--wpd
^ permalink raw reply [flat|nested] 4+ messages in thread
* [U-Boot] Verified boot of images without signatures
2019-06-12 20:27 ` Patrick Doyle
@ 2019-08-13 9:35 ` Simon Glass
0 siblings, 0 replies; 4+ messages in thread
From: Simon Glass @ 2019-08-13 9:35 UTC (permalink / raw)
To: u-boot
Hi Patrick,
On Wed, 12 Jun 2019 at 14:28, Patrick Doyle <wpdster@gmail.com> wrote:
>
> On Wed, Jun 12, 2019 at 2:10 PM Alex Kiernan <alex.kiernan@gmail.com> wrote:
> > On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster@gmail.com> wrote:
> > > Am I missing something here?
> > >
> >
> > Probably... I went round a very similar loop too. You need the
> > required property in the U-Boot DTB, not in the image you're booting.
> > And if you're trying to do this for SPL loading U-Boot you need
> > CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
> > image support.
> Hi Alex,
> You nailed it. I didn't understand that the "required" property
> belonged to the u-boot dtb, not the fitImage. Now that I understand
> that, I see where that is described in signature.txt. I'm great at
> understanding documentation once I know what the documentation says
A doc patch is welcome.
The 'required' property is in the 'trusted' DT since otherwise an
image could just omit it.
Regards,
Simon
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-13 9:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-12 14:54 [U-Boot] Verified boot of images without signatures Patrick Doyle
2019-06-12 18:10 ` Alex Kiernan
2019-06-12 20:27 ` Patrick Doyle
2019-08-13 9:35 ` Simon Glass
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.