Re: [OE-core] [RFC] uboot-sign: Fix u-boot dtb signatures

Thu, 20 Feb 2025 12:58:25 -0800 

Hi Leonard,

I tested it on a couple of machines on my side and it fixes the regression.

Tested-by: Jose Quaresma <jose.quare...@foundries.io>

Thanks for working on the solution.

Jose

Rogerio Guerra Borin via lists.openembedded.org <rogerio.borin=
toradex....@lists.openembedded.org> escreveu (quinta, 20/02/2025 à(s)
19:22):

> Hi Leonard,
>
> I've tested your patch and I wanted to let you know it worked fine for me
> both when FIT_SIGN_INDIVIDUAL="1" or "0". I've checked the contents of the
> u-boot dtb (for the presence of the required pubkeys) and the fitImage (for
> the signatures) and the results match what we had before commit d7bd9c62766
> ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and
> UBOOT_ENV enabled").
>
> As for the patch, since the understanding is that when
> FIT_SIGN_INDIVIDUAL="1" the individual images will be signed besides the
> signing of the configurations then I'd say that sentence in the comment
> "Signing individual images is not recommended as that makes fitImage
> susceptible to mix-and-match attack" seems unnecessary/misleading to me
> since it gives the impression that one would get either images or
> configurations signed.
>
> As for the check performed at build time by the "fit_check_sign" tool, the
> fact that now the check is done only on the configuration doesn't seem like
> a big loss to me. Though I imagine the ideal solution would be to have that
> check on the final fitImage rather than on a temporary one (unused.itb) in
> order to provide stronger guarantees that the image is correctly signed.
> However, this would likely complicate things which may make it not worth
> the effort...
>
> Regards
>
> 
>
>

-- 
Best regards,

José Quaresma

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211776): 
https://lists.openembedded.org/g/openembedded-core/message/211776
Mute This Topic: https://lists.openembedded.org/mt/111289801/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to