Hello Tom, Simon, Wolfgang, Lars,
Am 09.05.2014 21:12, schrieb Tom Rini:
On Fri, May 09, 2014 at 12:47:44PM -0600, Simon Glass wrote:
Hi Wolfgang,
On 9 May 2014 07:35, Wolfgang Denk<w...@denx.de> wrote:
Dear Simon,
In message<CAPnjgZ1_Cf-eu592YqF0=th7mt1da6gh7pv1lxaf79kv8lw...@mail.gmail.com>
you wrote:
I agree that it might be dangerous to allow legacy boot when signature
verification is used. It would be nice to fix that.
I think there is general agreement on this point.
This means that legacy is on by default, unless signature verification
is enabled, in which case the default flips. But I worry that it might
only confuse people. This seems like a Wolfgang / Tom question :-)
OK, here is my 0.02€ to it:
I think, no matter how we implement it, this should exactly the
behaviour. Average users tend to avoid reading documentation, so if
they enable signature verification the most likely want a secure
system, so we should give them just that. Only if someone really
knows what he is doing he should be able to enable support for
(insecure) legacy images.
As for the implementation - yes, the
#ifdef CONFIG_FIT_SIGNATURE_VERIFICATION
approach indeed does not look very nice, but then, it appears to be
the straightforward implementation of what we want to do?
OK, well in that case, let's do it that way.
Agreed, then we can look for clever ways to refactor the code after.
Ok, summary for one first step (I can do):
- introduce CONFIG_IMAGE_FORMAT_LEGACY based on patch [1]
(rename "+#if !defined(CONFIG_DISABLE_IMAGE_FORMAT_LEGACY)"
to "+#if defined(CONFIG_IMAGE_FORMAT_LEGACY)")
- set CONFIG_IMAGE_FORMAT_LEGACY as default:
(little bit adapted towards simons CONFIG_FIT_SIGNATURE_VERIFICATION
proposal ... I dont want to introduce a new define ...)
in config_defaults:
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_IMAGE_LEGACY
+#endif
so, if boards not define CONFIG_FIT_SIGNATURE, they
have default CONFIG_IMAGE_FORMAT_LEGACY enabled (as currently).
If CONFIG_FIT_SIGNATURE is enabled, legacy image format is default
disabled (change current behaviour of boards, which use this
feature! This is only the case for:
$ grep -lr CONFIG_FIT_SIGNATURE include/
include/configs/zynq-common.h -> Michal, add Michal therefore to Cc
include/configs/sandbox.h -> Simon
include/configs/ids8313.h -> me
include/image.h
$
), but boards can enable it if needed (as ids8313 board needs
it ... yes not nice ...)
If boards which have not enabled CONFIG_FIT_SIGNATURE
and want to disable legacy image format ... we can add this
case if we want like:
in config_defaults:
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_IMAGE_LEGACY
+#endif
+
+#ifdef CONFIG_DISABLE_IMAGE_LEGACY
+#undef CONFIG_IMAGE_LEGACY
+#endif
Is this a way to go?
bye,
Heiko
[1]:
[U-Boot] [PATCH 1/4] bootm: allow to disable legacy image format
http://lists.denx.de/pipermail/u-boot/2014-May/179190.html
--
DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
