On Wed, Jun 6, 2018 at 4:35 AM, Jun Nie <jun....@linaro.org> wrote: > 2018-06-06 9:08 GMT+08:00 Teddy Reed <teddy.r...@gmail.com>: >> When using verified-boot in the SPL, the FIT content must be >> verified before it can be used. >> >> Currently the load_addr FIT property is read and used as input to >> memcpy before the property is verified. >> >> Signed-off-by: Teddy Reed <teddy.r...@gmail.com> >> --- > > Reviewed-by: Jun Nie <jun....@linaro.org>
Thanks for taking a look Jun! I did not see any sandbox tests exercising the SPL/signature checking so I included 'RFC'. I know you are familiar with using the signature checking within the SPL, and you helped make it possible in the first place. The three minor concerns I had when moving the validation earlier are: (1) the signature was originally calculated on the potentially uncompressed version, but this seems unlikely; similarly (2) the post process board-specific methods can mutate the signed content; and (3) now using the src address means reading directly from storage / etc instead of potentially SRAM/DRAM. For (1) see that line 256 was uncompressing the data before signature checking. Then the signature check was applied to the uncompressed region. To be clear I think this patch is the correct approach, and the signature check should apply to the compressed content. For (2) see that line 248 is board-specific, I am assuming that can mutate the content. Thus the signature check should be placed before that call. Thanks again! -- Teddy Reed V _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
