* [U-Boot] booting signed Images
@ 2014-05-05 7:35 Heiko Schocher
2014-05-05 17:25 ` Simon Glass
0 siblings, 1 reply; 7+ messages in thread
From: Heiko Schocher @ 2014-05-05 7:35 UTC (permalink / raw)
To: u-boot
Hello Simon,
just talked with Wolfgang about the booting process from signed images,
as it is described in:
doc/uImage.FIT/verified-boot.txt
doc/uImage.FIT/signature.txt
If we see it correct, then it is still possible to boot an uImage
or a FIT image without signature with "bootm" when CONFIG_FIT_SIGNATURE
is defined.
The question raised, if this is a good behaviour.
Should we not prevent booting uImages or not signed FIT Images when
CONFIG_FIT_SIGNATURE is defined?
Or at least prevent booting such unsigned images through an U-Boot
env variable.
What Do you think?
Thanks in advance
bye,
Heiko
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-05 7:35 [U-Boot] booting signed Images Heiko Schocher
@ 2014-05-05 17:25 ` Simon Glass
2014-05-05 17:55 ` Wolfgang Denk
0 siblings, 1 reply; 7+ messages in thread
From: Simon Glass @ 2014-05-05 17:25 UTC (permalink / raw)
To: u-boot
HI Heiko,
On 5 May 2014 01:35, Heiko Schocher <hs@denx.de> wrote:
> Hello Simon,
>
> just talked with Wolfgang about the booting process from signed images,
> as it is described in:
>
> doc/uImage.FIT/verified-boot.txt
> doc/uImage.FIT/signature.txt
>
> If we see it correct, then it is still possible to boot an uImage
> or a FIT image without signature with "bootm" when CONFIG_FIT_SIGNATURE
> is defined.
>
> The question raised, if this is a good behaviour.
>
> Should we not prevent booting uImages or not signed FIT Images when
> CONFIG_FIT_SIGNATURE is defined?
> Or at least prevent booting such unsigned images through an U-Boot
> env variable.
>
> What Do you think?
There is a 'required' property in the public keys which is intended to
support this. If you mark a key as 'required then it will need to be
verified by any image that is loaded. There is a test for this case,
but it may not be comprehensive.
Regards,
Simon
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-05 17:25 ` Simon Glass
@ 2014-05-05 17:55 ` Wolfgang Denk
2014-05-05 18:31 ` Simon Glass
0 siblings, 1 reply; 7+ messages in thread
From: Wolfgang Denk @ 2014-05-05 17:55 UTC (permalink / raw)
To: u-boot
Dear Simon,
In message <CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com> you wrote:
>
> > Should we not prevent booting uImages or not signed FIT Images when
> > CONFIG_FIT_SIGNATURE is defined?
> > Or at least prevent booting such unsigned images through an U-Boot
> > env variable.
> >
> > What Do you think?
>
> There is a 'required' property in the public keys which is intended to
> support this. If you mark a key as 'required then it will need to be
> verified by any image that is loaded. There is a test for this case,
> but it may not be comprehensive.
But what about legacy uImage files? It appears nothing would stop
booting one of those?
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Accident: A condition in which presence of mind is good, but absence
of body is better.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-05 17:55 ` Wolfgang Denk
@ 2014-05-05 18:31 ` Simon Glass
2014-05-05 19:19 ` Wolfgang Denk
2014-05-07 7:06 ` Heiko Schocher
0 siblings, 2 replies; 7+ messages in thread
From: Simon Glass @ 2014-05-05 18:31 UTC (permalink / raw)
To: u-boot
Hi Wolfgang,
On 5 May 2014 11:55, Wolfgang Denk <wd@denx.de> wrote:
> Dear Simon,
>
> In message <CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com> you wrote:
>>
>> > Should we not prevent booting uImages or not signed FIT Images when
>> > CONFIG_FIT_SIGNATURE is defined?
>> > Or at least prevent booting such unsigned images through an U-Boot
>> > env variable.
>> >
>> > What Do you think?
>>
>> There is a 'required' property in the public keys which is intended to
>> support this. If you mark a key as 'required then it will need to be
>> verified by any image that is loaded. There is a test for this case,
>> but it may not be comprehensive.
>
> But what about legacy uImage files? It appears nothing would stop
> booting one of those?
That's right, there is nothing to stop that at present. The
verification happens either on each image (for per-image signing) or
on the selected configuration as a whole (in fit_image_load() when it
sees the kernel being loaded).
One simple solution might be to check a CONFIG option in
boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
Regards,
Simon
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-05 18:31 ` Simon Glass
@ 2014-05-05 19:19 ` Wolfgang Denk
2014-05-07 7:06 ` Heiko Schocher
1 sibling, 0 replies; 7+ messages in thread
From: Wolfgang Denk @ 2014-05-05 19:19 UTC (permalink / raw)
To: u-boot
Dear Simon,
In message <CAPnjgZ3OKQ8UZMOrQ7m7zWDWsFa2yZqCT2F69sKwgjDymOzePw@mail.gmail.com> you wrote:
>
> >> There is a 'required' property in the public keys which is intended to
> >> support this. If you mark a key as 'required then it will need to be
> >> verified by any image that is loaded. There is a test for this case,
> >> but it may not be comprehensive.
> >
> > But what about legacy uImage files? It appears nothing would stop
> > booting one of those?
>
> That's right, there is nothing to stop that at present. The
> verification happens either on each image (for per-image signing) or
> on the selected configuration as a whole (in fit_image_load() when it
> sees the kernel being loaded).
>
> One simple solution might be to check a CONFIG option in
> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
This makes sense to me. Thanks!
Best regards,
Wolfgang Denk
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
I haven't lost my mind -- it's backed up on tape somewhere.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-05 18:31 ` Simon Glass
2014-05-05 19:19 ` Wolfgang Denk
@ 2014-05-07 7:06 ` Heiko Schocher
2014-05-07 22:51 ` Simon Glass
1 sibling, 1 reply; 7+ messages in thread
From: Heiko Schocher @ 2014-05-07 7:06 UTC (permalink / raw)
To: u-boot
Hello Simon,
Am 05.05.2014 20:31, schrieb Simon Glass:
> Hi Wolfgang,
>
> On 5 May 2014 11:55, Wolfgang Denk<wd@denx.de> wrote:
>> Dear Simon,
>>
>> In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm98LF96PLfu-g@mail.gmail.com> you wrote:
>>>
>>>> Should we not prevent booting uImages or not signed FIT Images when
>>>> CONFIG_FIT_SIGNATURE is defined?
>>>> Or at least prevent booting such unsigned images through an U-Boot
>>>> env variable.
>>>>
>>>> What Do you think?
>>>
>>> There is a 'required' property in the public keys which is intended to
>>> support this. If you mark a key as 'required then it will need to be
>>> verified by any image that is loaded. There is a test for this case,
>>> but it may not be comprehensive.
>>
>> But what about legacy uImage files? It appears nothing would stop
>> booting one of those?
>
> That's right, there is nothing to stop that at present. The
> verification happens either on each image (for per-image signing) or
> on the selected configuration as a whole (in fit_image_load() when it
> sees the kernel being loaded).
>
> One simple solution might be to check a CONFIG option in
> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
The question is here, do we introduce a new config option for this,
or do we use for example CONFIG_FIT_SIGNATURE to disable it?
I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY
complete.
bye,
Heiko
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
^ permalink raw reply [flat|nested] 7+ messages in thread
* [U-Boot] booting signed Images
2014-05-07 7:06 ` Heiko Schocher
@ 2014-05-07 22:51 ` Simon Glass
0 siblings, 0 replies; 7+ messages in thread
From: Simon Glass @ 2014-05-07 22:51 UTC (permalink / raw)
To: u-boot
Hi Heiko,
On 7 May 2014 01:06, Heiko Schocher <hs@denx.de> wrote:
> Hello Simon,
>
> Am 05.05.2014 20:31, schrieb Simon Glass:
>
> Hi Wolfgang,
>>
>> On 5 May 2014 11:55, Wolfgang Denk<wd@denx.de> wrote:
>>
>>> Dear Simon,
>>>
>>> In message<CAPnjgZ2-qC8YK8t2DvmzXWKy3Wd+=7VY1Ti=Jm
>>> 98LF96PLfu-g at mail.gmail.com> you wrote:
>>>
>>>>
>>>> Should we not prevent booting uImages or not signed FIT Images when
>>>>> CONFIG_FIT_SIGNATURE is defined?
>>>>> Or at least prevent booting such unsigned images through an U-Boot
>>>>> env variable.
>>>>>
>>>>> What Do you think?
>>>>>
>>>>
>>>> There is a 'required' property in the public keys which is intended to
>>>> support this. If you mark a key as 'required then it will need to be
>>>> verified by any image that is loaded. There is a test for this case,
>>>> but it may not be comprehensive.
>>>>
>>>
>>> But what about legacy uImage files? It appears nothing would stop
>>> booting one of those?
>>>
>>
>> That's right, there is nothing to stop that at present. The
>> verification happens either on each image (for per-image signing) or
>> on the selected configuration as a whole (in fit_image_load() when it
>> sees the kernel being loaded).
>>
>> One simple solution might be to check a CONFIG option in
>> boot_get_kernel() and disable support for IMAGE_FORMAT_LEGACY.
>>
>
> The question is here, do we introduce a new config option for this,
> or do we use for example CONFIG_FIT_SIGNATURE to disable it?
>
> I prefer to check CONFIG_FIT_SIGNATURE, and disable IMAGE_FORMAT_LEGACY
> complete.
>
I suggest a new CONFIG option, like CONFIG_DISABLE_IMAGE_FORMAT_LEGACY or
possible a device tree option, since if you force disable of the legacy
format you are actually removing functionality. At present
CONFIG_FIT_SIGNATURE is a capability, and one capability should not
normally preclude another.
Regards,
Simon
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-05-07 22:51 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-05-05 7:35 [U-Boot] booting signed Images Heiko Schocher
2014-05-05 17:25 ` Simon Glass
2014-05-05 17:55 ` Wolfgang Denk
2014-05-05 18:31 ` Simon Glass
2014-05-05 19:19 ` Wolfgang Denk
2014-05-07 7:06 ` Heiko Schocher
2014-05-07 22:51 ` Simon Glass
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.