On Tue, Dec 11, 2018 at 12:43:02PM +0100, Łukasz Rymanowski wrote: > Hi Chris, > > I read it all and indeed it was thrilling :)
Thanks for reading! > I think this is a good idea and this is a way to go. I have just feeling > that internal mfgimage should be able to verify external one somehow, to > make sure second factory did a good job > But maybe this is not needed as bootloader will do signature validation of > the images inside the external mfgimage (if I recall correctly). Anyway, > just a thought to consider. I agree that it would be good if the boot mfgimage could verify the others. I think there is a problem here, though. Mfgimages are weird things in that their contents don't remain intact on a device. An mfgimage might contain a Mynewt image and a pre-filled sys/config FCB, for example. When the device starts up in the field, it will append new data to the FCB. A back end management service may upload a new Mynewt image to the device, overwriting the one that came from the mfgimage. So, the mfgimage hashes on a device become inaccurate very quickly. Their purpose is not to validate what is on the device now, but to identify what was put on the device originally. So, I don't think we can use the mfgimage hash to verify anything. Maybe there is another approach that would work? Chris