On 21/11/18 15:37, Simon Goldschmidt wrote: > > > Am Mi., 21. Nov. 2018, 15:27 hat Wolfgang Denk <w...@denx.de > <mailto:w...@denx.de>> geschrieben: > > Dear Stefano, > > In message <7089ef62-ed0f-87f4-e979-8c18a6ae4...@denx.de > <mailto:7089ef62-ed0f-87f4-e979-8c18a6ae4...@denx.de>> you wrote: > > > > > Right, when we sign (and check the signatures) of all other images, > > > then why not do the very same for some environment image? > > > > The weird thing is with "saveenv" - if we just read the env, it is > fine, > > but if we want to change it, we need to sign, and this requires a > > private key on target. > > Agreed, but this is a totaly different issue. > > The separate (potentially singed0 environment image is only the > replacement for the current "default environment", which is not > used for "env save". In the same way, there is no need to modfy the > signed image. > > But yes, it might be desirable to protect the working environment > against malicious manipulation - but this should be discussed in a > separate thread. > > > > That would even be _better_ as currently there is no, absolutely no > > > check if the builtin default environment is in any way consistent. > > > > This is not true. If the environment is linked to u-boot, it is signed > > together with u-boot and its consistency is automatically verified. > > Only if you use signed images. With plain U-Boot, there is not even > a checksum for it... > > > When SPL loads U-Boot from a legacy image, isn't there a CRC involved > over the full image including the environment?
I think Marek is talking about raw u-boot, not in case mkimage has put an header at the beginning. See CONFIG_SPL_RAW_IMAGE_SUPPORT and spl_parse_image_header(). The image is simply loaded without checks. Best regards, Stefano -- ===================================================================== DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de ===================================================================== _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
