All of lore.kernel.org
 help / color / mirror / Atom feed
From: "François Ozog" <francois.ozog@linaro.org>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Roman Kopytin <roman.kopytin@kaspersky.com>,
	 "u-boot@lists.denx.de" <u-boot@lists.denx.de>,
	Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool
Date: Tue, 9 Nov 2021 13:43:02 +0100	[thread overview]
Message-ID: <CAHFG_=Wxmw3oq3DXDSgr3KvbP0G_Av-0YCDOHrnCdJ0U7OC4fg@mail.gmail.com> (raw)
In-Reply-To: <5d59918e-7b49-a329-945e-748cdf6b5fcb@siemens.com>

Hi

as we are in design discussions, I would promote the idea of not pushing
non hardware related things in the DTB that is passed to the kernel.
Is your use case to allow U-Boot to verify the kernel's signature ?
Why not putting it into an environment variable?

If your use case is on Arm or RISC-V, both environments are working heavily
to make https://arm-software.github.io/ebbr/ standard available on a large
number of boards.
This offers UEFI interface and SecureBoot (and later MeasuredBoot)
services. For Arm boards just check for SystemReady compliance.
In this context, traditional UEFI secure variables are used to deal with
certificates and hashes: PK, KEK, db...
You can obviously do differently but you will be on your own to extend the
chain of trust to IMA, secure containers (rooted down to hRoT) and other
security facilities in the Linux side.
Could you describe your use case in more details?

On Tue, 9 Nov 2021 at 11:07, Jan Kiszka <jan.kiszka@siemens.com> wrote:

> On 09.11.21 10:37, Roman Kopytin wrote:
> > Can we have discussion with code lines? For me it is not very clear,
> because it isn't my code.
> >
>
> Please do not top-post.
>
> > -----Original Message-----
> > From: Jan Kiszka <jan.kiszka@siemens.com>
> > Sent: Tuesday, November 9, 2021 12:17 PM
> > To: Roman Kopytin <Roman.Kopytin@kaspersky.com>; u-boot@lists.denx.de;
> Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> > Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool
> >
> > On 08.11.21 16:28, Roman Kopytin wrote:
> >> In order to reduce the coupling between building the kernel and
> >> U-Boot, I'd like a tool that can add a public key to U-Boot's dtb
> >> without simultaneously signing a FIT image. That tool doesn't seem to
> >> exist, so I stole the necessary pieces from mkimage et al and put it
> >> in a single .c file.
> >>
> >> I'm still working on the details of my proposed "require just k out
> >> these n required keys" and how it should be implemented, but it will
> >> probably involve teaching this tool a bunch of new options. These
> >> patches are not necessarily ready for inclusion (unless someone else
> >> finds fdt_add_pubkey useful as is), but I thought I might as well send
> >> it out for early comments.
> >
> > I'd also like to see the usage of this hooked into the build process.
> >
> > And to my understanding of [1], that approach will provide a feature
> that permits hooking with the build but would expect the key as dtsi
> fragment. Can we consolidate the approaches?
> >
> > My current vision of a user interface would be a Kconfig option that
> takes a list of key files to be injected. Maybe make that three lists, one
> for "required=image", one for "required=conf", and one for optional keys
> (if that has a use case in practice, no idea).
> >
> > Jan
> >
> > [1]
> >
> https://lore.kernel.org/u-boot/20210928085651.619892-1-rasmus.villemoes@prevas.dk/
> >
> > --
> > Siemens AG, T RDA IOT
> > Corporate Competence Center Embedded Linux
> >
>
> For what would you like to have code? The kconfig addition?
>
> diff --git a/common/Kconfig.boot b/common/Kconfig.boot
> index d3a12be228..a9ed4d4ec4 100644
> --- a/common/Kconfig.boot
> +++ b/common/Kconfig.boot
> @@ -279,6 +279,14 @@ config SPL_FIT_GENERATOR
>
>  endif # SPL
>
> +config FIT_SIGNATURE_PUB_KEYS
> +       string "Public keys to use for FIT image verification"
> +       depends on FIT_SIGNATURE || SPL_FIT_SIGNATURE
> +       help
> +         Public keys, or certificate files to extract them from, that
> shall
> +         be used to verify signed FIT images. The keys will be embedded
> into
> +         the control device tree of U-Boot.
> +
>  endif # FIT
>
>  config LEGACY_IMAGE_FORMAT
>
>
> But note that we are in a design discussion here, and I'm at least
> reluctant to code up n-versions without having some common idea where
> things should move.
>
> Jan
>
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux
>


-- 
François-Frédéric Ozog | *Director Business Development*
T: +33.67221.6485
francois.ozog@linaro.org | Skype: ffozog

  reply	other threads:[~2021-11-09 12:43 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-08 15:28 [PATCH 0/2] RFC: add fdt_add_pubkey tool Roman Kopytin
2021-11-08 15:28 ` [PATCH 1/2] tools: add fdt_add_pubkey Roman Kopytin
2021-11-10  0:58   ` Simon Glass
2021-11-10  7:03     ` Roman Kopytin
2021-11-10  7:41       ` Jan Kiszka
2021-11-10  6:39   ` Jan Kiszka
2021-11-10  7:39   ` Jan Kiszka
2021-11-10  8:26     ` Roman Kopytin
2021-11-10 19:21       ` Jan Kiszka
2021-11-11  5:26         ` Roman Kopytin
2021-11-11  7:18           ` Jan Kiszka
2021-11-10 21:15   ` Jan Kiszka
2021-11-08 15:28 ` [PATCH 2/2] test_vboot.py: include test of fdt_add_pubkey tool Roman Kopytin
2021-11-10  0:58   ` Simon Glass
2021-11-09  9:16 ` [PATCH 0/2] RFC: add " Jan Kiszka
2021-11-09  9:37   ` Roman Kopytin
2021-11-09 10:07     ` Jan Kiszka
2021-11-09 12:43       ` François Ozog [this message]
2021-11-09 12:58         ` Jan Kiszka
2021-11-09 13:16           ` François Ozog
2021-11-09 14:00             ` Jan Kiszka
2021-11-09 17:32               ` François Ozog
2021-11-10  0:58         ` Simon Glass
2021-11-10  0:58       ` Simon Glass
2021-11-10  6:43         ` Jan Kiszka
2021-11-10 16:31           ` Simon Glass
2021-11-10 16:48             ` Jan Kiszka
2021-11-10 17:29               ` François Ozog
2021-11-10 17:44                 ` Jan Kiszka
2021-11-10 19:36               ` Simon Glass
2021-11-10 20:51                 ` Jan Kiszka
2021-11-11  0:31                   ` Simon Glass
2021-11-10  0:58   ` Simon Glass
2021-11-10  6:55     ` Jan Kiszka
2021-11-10  7:20       ` Jan Kiszka
2021-11-10 16:31         ` Simon Glass
2021-11-10 16:49           ` Jan Kiszka
2021-11-10 19:36             ` Simon Glass
2021-11-10 20:58               ` Jan Kiszka
2021-11-11  0:31                 ` Simon Glass
2021-11-10 20:49         ` binman replace broken? (was: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool) Jan Kiszka
2021-11-11  0:32           ` Simon Glass
2021-11-11  8:15 [PATCH 0/2] RFC: add fdt_add_pubkey tool Roman Kopytin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHFG_=Wxmw3oq3DXDSgr3KvbP0G_Av-0YCDOHrnCdJ0U7OC4fg@mail.gmail.com' \
    --to=francois.ozog@linaro.org \
    --cc=jan.kiszka@siemens.com \
    --cc=rasmus.villemoes@prevas.dk \
    --cc=roman.kopytin@kaspersky.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.