From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Glass Date: Thu, 2 Aug 2018 14:36:04 -0600 Subject: [U-Boot] U-Boot: Verified Boot: signed configuration and mix and match attack In-Reply-To: References: Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Johann, On 2 August 2018 at 07:20, Johann Neuhauser wrote: > Hello Simon, > >> > Dear U-Boot devs, >> > >> > I've setup verified boot on a imx6 board and want to protect my device >> against the "mix and match" attacks mentioned in >> "doc/uImage.FIT/signature.txt". >> > That's why I have only implemented signed configurations and no signed >> images as in doc/uImage.FIT/signed-configs.its. >> > My public key in my embedded fdt has the property required = "conf"; >> > >> > Booting a signed config with "bootm ${loadaddr}#conf at 1" and an >> embedded public key required for configurations does work as expected and >> do fail to boot if I modify the config, image, hash, signature and so on. >> > >> > If I boot any fit image(signed and unsigned) for example with "bootm >> ${loadaddr}:kernel at 1 - fdt at 1" to select the subimages directly, I could boot >> every image combination without signature verification although a signature >> is enforced for a configuration. >> > >> > Is this the expected behavior? >> > >> > I thought if I had set the public key in in the embedded fdt as required for >> configurations, bootm does only boot signed configurations and no >> subimages directly... >> >> I don't think there is any restriction on that at the moment. You are explicitly >> asking to boot particular images rather than a config. So I suppose it would be >> odd if U-Boot tried to enforce a config. Are you thinking it should try to find a >> config that has those images in it? > > No, I expected that I cannot boot sub images directly if there is a required public key for a configuration. > After a dive into the bootm source I think this is not easily possible to enforce this behavior. It should be easy enough to change fit_image_load() to return an error if fit_uname_configp doesn't have a config. > >> But why not just specify the config to bootm? > > At first I wanted to use a simple boot script wrapped in a fit image (unsigned) and > have only the needed commands enabled in U-Boot. > Now I switched to a signed U-Boot script as boot script and can be sure that this one gets not tampered. > The only bad thing is here that the source command does only have support for fit sub images and > I have to sign the config and the image of my system image if I had a required certificate for images and configs. I don't quite get this, sorry. What is a FIT sub-image? Do you mean a FIT image? You can actually sign individual images if you want to, but as the docs mention, this is not fully secure since it is vulnerable to mix-and-match attacks. But if do want to group images together, so that only certain ones can be used together, then a FIT config is the mechanism for that. You must sign each config simple because otherwise there is nothing protecting against the attack. > > Probably this behavior should be mentioned in the doc. Please send a patch. > > Many thanks for the clarification. You are welcome. But I suspect I have misunderstood this in some way, so let me know :-) Regards, Simon