From mboxrd@z Thu Jan 1 00:00:00 1970 From: Johann Neuhauser Date: Tue, 31 Jul 2018 08:22:35 +0000 Subject: [U-Boot] U-Boot: Verified Boot: signed configuration and mix and match attack Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Dear U-Boot devs, I've setup verified boot on a imx6 board and want to protect my device against the "mix and match" attacks mentioned in "doc/uImage.FIT/signature.txt". That's why I have only implemented signed configurations and no signed images as in doc/uImage.FIT/signed-configs.its. My public key in my embedded fdt has the property required = "conf"; Booting a signed config with "bootm ${loadaddr}#conf at 1" and an embedded public key required for configurations does work as expected and do fail to boot if I modify the config, image, hash, signature and so on. If I boot any fit image(signed and unsigned) for example with "bootm ${loadaddr}:kernel at 1 - fdt at 1" to select the subimages directly, I could boot every image combination without signature verification although a signature is enforced for a configuration. Is this the expected behavior? I thought if I had set the public key in in the embedded fdt as required for configurations, bootm does only boot signed configurations and no subimages directly... Best regards Johann Neuhauser DH electronics GmbH