Hi Andrew, I am curious about the usage scenario. Is the runtime control required for production release? As this control acts like a backdoor to bypass the chain-of-trust. If it is for debugging/development purposes, should we encourage the use of unsigned images under RD environments? Beyond this, I have no concern as the patch provides more flexibility.
> From: Andrew Jeffery <and...@aj.id.au> > Sent: Monday, January 31, 2022 11:42 AM > > Some platform designs include support for disabling secure-boot via a jumper > on the board. Sometimes this control can be separate from the mechanism > enabling the root-of-trust for the platform. Add support for this latter > scenario > by allowing boards to implement board_fit_image_require_verfied(), which is > then invoked in the usual FIT verification paths. > > Signed-off-by: Andrew Jeffery <and...@aj.id.au> > --- > Hi, > > This patch is extracted from and motivated by a series adding run-time control > of FIT signature verification to u-boot in OpenBMC: > > https://lore.kernel.org/openbmc/20220131012538.73021-1-and...@aj.id.au/ > > Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking > upstream and contains a bunch of out-of-tree work as well. As such I'm looking > to upstream the couple of changes that make sense against master. > > Please take a look! > > Andrew > > boot/Kconfig | 8 ++++++++ > boot/image-fit.c | 21 +++++++++++++++++---- include/image.h | 9 > +++++++++ > 3 files changed, 34 insertions(+), 4 deletions(-) > > diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a > 100644 > --- a/boot/Kconfig > +++ b/boot/Kconfig > @@ -78,6 +78,14 @@ config FIT_SIGNATURE > format support in this case, enable it using > CONFIG_LEGACY_IMAGE_FORMAT. > > +if FIT_SIGNATURE > +config FIT_RUNTIME_SIGNATURE > + bool "Control verification of FIT uImages at runtime" > + help > + This option allows board support to disable verification of > + signatures at runtime, for example through the state of a GPIO. > +endif # FIT_SIGNATURE > + Using "depends on" might be preferred for Kconfig dependency. Regards, Chiawei
