On Thu, Nov 03, 2022 at 05:35:33PM -0400, Sean Anderson wrote: > As discussed previously [1,2], the source command is not safe to use with > verified boot unless there is a key with required = "images" (which has its > own problems). This is because if such a key is absent, signatures are > verified but not required. It is assumed that configuration nodes will > provide the signature. Because the source command does not use > configurations to determine the image to source, effectively no > verification takes place. > > To address this, allow specifying configuration nodes. We use the same > syntax as the bootm command (helpfully provided for us by fit_parse_conf). > By default, we first try the default config and then the default image. To > force using a config, # must be present in the command (e.g. `source > $loadaddr#my-conf`). For convenience, the config may be omitted, just like > the address may be (e.g. `source \#`). This also works for images > (`source \:` behaves exactly like `source` currently does). > > [1] > https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9ee...@prevas.dk/ > [2] > https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005...@gmail.com/ > > Signed-off-by: Sean Anderson <sean.ander...@seco.com> > Reviewed-by: Simon Glass <s...@chromium.org>
Currently, there's two problems. One, fit_conf_get_prop_node() should be called (I believe) with IH_PHASE_NONE, which I can do when applying. However, two, fit_config_verify() depends on CONFIG_IS_ENABLED(FIT_SIGNATURE) and I'm less immediately sure how to rework that in to this patch. Can you please rebase on top of current next? Thanks. -- Tom
signature.asc
Description: PGP signature
