Hi Johann,
On 31 July 2018 at 02:22, Johann Neuhauser <jneuhau...@dh-electronics.de> wrote:
> Dear U-Boot devs,
>
> I've setup verified boot on a imx6 board and want to protect my device
> against the "mix and match" attacks mentioned in
> "doc/uImage.FIT/signature.txt".
> That's why I have only implemented signed configurations and no signed images
> as in doc/uImage.FIT/signed-configs.its.
> My public key in my embedded fdt has the property required = "conf";
>
> Booting a signed config with "bootm ${loadaddr}#conf@1" and an embedded
> public key required for configurations does work as expected and do fail to
> boot if I modify the config, image, hash, signature and so on.
>
> If I boot any fit image(signed and unsigned) for example with "bootm
> ${loadaddr}:kernel@1 - fdt@1" to select the subimages directly, I could boot
> every image combination without signature verification although a signature
> is enforced for a configuration.
>
> Is this the expected behavior?
>
> I thought if I had set the public key in in the embedded fdt as required for
> configurations, bootm does only boot signed configurations and no subimages
> directly...
I don't think there is any restriction on that at the moment. You are
explicitly asking to boot particular images rather than a config. So I
suppose it would be odd if U-Boot tried to enforce a config. Are you
thinking it should try to find a config that has those images in it?
But why not just specify the config to bootm?
Bear in mind also that users don't have access to the U-Boot command
line when using verified boot, so they wouldn't be able to type this
command.
Regards,
Simon
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
