All of lore.kernel.org
 help / color / mirror / Atom feed
From: Johann Neuhauser <jneuhauser@dh-electronics.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] U-Boot: Verified Boot: signed configuration and mix and match attack
Date: Tue, 31 Jul 2018 08:22:35 +0000	[thread overview]
Message-ID: <EC1C22C33E65E649A21D8911C850842C29FEBEF4@sun1049.dh.corp> (raw)

Dear U-Boot devs,

I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt".
That's why I have only implemented signed configurations and no signed images as in doc/uImage.FIT/signed-configs.its.
My public key in my embedded fdt has the property required = "conf";

Booting a signed config with "bootm ${loadaddr}#conf at 1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on.

If I boot any fit image(signed and unsigned) for example with "bootm ${loadaddr}:kernel at 1 - fdt at 1" to select the subimages directly, I could boot every image combination without signature verification although a signature is enforced for a configuration.

Is this the expected behavior? 

I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot signed configurations and no subimages directly...

Best regards

Johann Neuhauser
DH electronics GmbH
 

             reply	other threads:[~2018-07-31  8:22 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-31  8:22 Johann Neuhauser [this message]
2018-08-02 12:52 ` [U-Boot] U-Boot: Verified Boot: signed configuration and mix and match attack Simon Glass
2018-08-02 13:20   ` Johann Neuhauser
2018-08-02 20:36     ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=EC1C22C33E65E649A21D8911C850842C29FEBEF4@sun1049.dh.corp \
    --to=jneuhauser@dh-electronics.de \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.