On Tue, Dec 11, 2018 at 12:43:02PM +0100, Ćukasz Rymanowski wrote:
> Hi Chris,
>
> I read it all and indeed it was thrilling :)
Thanks for reading!
> I think this is a good idea and this is a way to go. I have just feeling
> that internal mfgimage should be able to verify external one somehow, to
> make sure second factory did a good job
> But maybe this is not needed as bootloader will do signature validation of
> the images inside the external mfgimage (if I recall correctly). Anyway,
> just a thought to consider.
I agree that it would be good if the boot mfgimage could verify the
others. I think there is a problem here, though. Mfgimages are weird
things in that their contents don't remain intact on a device. An
mfgimage might contain a Mynewt image and a pre-filled sys/config FCB,
for example. When the device starts up in the field, it will append new
data to the FCB. A back end management service may upload a new Mynewt
image to the device, overwriting the one that came from the mfgimage.
So, the mfgimage hashes on a device become inaccurate very quickly.
Their purpose is not to validate what is on the device now, but to
identify what was put on the device originally.
So, I don't think we can use the mfgimage hash to verify anything.
Maybe there is another approach that would work?
Chris