On Sun, Sep 12, 2021 at 02:58:12AM +0500, Moiz Imtiaz wrote: > Completely agreed, that a fully secure boot on pi won't be achievable > because the Root of Trust (ROT) cant be established from the BOTROM/EEPROM. > Plus Pi doesn't have any High Assurance Boot (HAB). But given the > scenerio, whatever we can achieve i.e if we can verify the kernel, the > device tree, from the bootloader, (u-boot) that would be great. > > Currently the issue with Pi4 is that , signature verification is not being > done with u-boot, so wondering if that can be made possible.
Right, OK. Yes, I think it would be possible, but you'll need to experiment a bit. You'll basically want to take the signature information that the U-Boot docs talk about out of the created device tree, and put it in its own file, and then have the Pi firmware apply that as an "overlay", as it assembles the tree to use. Then the regular mechanism U-Boot uses to use the passed in device tree should work. > >But that applies to the scenario where the public key is stored in the > > device tree embedded in u-boot itself as well > > Just for the sake of knowledge, Isn't this the case with all u-boot, that > the public key is stored in the device tree (control FDT) and is embedded > in the u-boot. You're in experimental territory here, yes. The existing examples all are on platforms where a prior stage wouldn't be giving us a device tree. U-Boot should not actually care where the device tree comes from so long as it is correct. I've only got a Pi 3 in my CI lab, and since it's CI I also really hate fiddling with it since I then end up spending more time re-setting it for CI. -- Tom
signature.asc
Description: PGP signature
