Hi Sascha, in my opinion it is better to have it configurable, because ther are different use cases and security requirements. i found the problem by creating a sd-card \emmc image with wic. The mbr, the partition table and bootloader became be signed at barebox build and wic changes the partition table at the end of the build process. Then the sd card image could not boot , because the signature was wrong. yeah secure boot works :-) the highest protection you have, when mbr and partition table is signed with the bootloader, but it is not always necessary.
there was implemented skip-mbr, dcdofs and full, but full was by default in the code. at the moment i think , it is a good and easy choice. Best regards Maik Am 10.12.2019 um 16:21 schrieb Sascha Hauer: > On Tue, Dec 10, 2019 at 04:06:27PM +0100, Maik Otto wrote: >> the whole barebox with mbr and partition table will be signed by default >> add the possibility in the Kconfig to change from full signing to skip-mbr >> and from-dcdofs > Not signing the MBR seems the right thing to do. Do we need it > configurable at all or would it be better to just always skip the first > KiB? > > Sascha > _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox
