On Thu, Jun 7, 2018 at 3:45 PM, Sam Voss <sam.v...@rockwellcollins.com> wrote: > Teddy, > > On Thu, Jun 7, 2018 at 12:27 PM, Teddy Reed <teddy.r...@gmail.com> wrote: >> >> Hi all, question, is anyone using the U-Boot verified-boot in production? > > I have been digging into this lately as well, and actually noticed a > few other things on top of what you are seeing, mentioned below. I > don't want to derail this email thread too much, but there is another > patch working on signature-key fallback sequencing as well (which > claims to be supported).
No worries, any/all attention on the verified-boot implementation is great! > >> I am using configuration verification for several OpenCompute/OpenBMC >> boards. After a deep-dive review I found some edge cases that in rare >> circumstances could lead to a signature check bypass. > > Slightly related: if you use two fit images to boot it seems that the > second will never be verified. Once the first is deemed OK it just > lets the boot happen. Good find, this sounds like a limitation of the signature checking. But this can be dangerous if you expected the secondary FIT to be checked. I hope no one is using this scenario for production boards. Curious if your planned patch is also addressing this limitation? > >> I think this is >> low-risk at best since the scenario requires special hardware behavior >> to exist. Our board were susceptible in the general sense, but we had >> implemented some additional sanity checks on the FIT structures that >> prevented this. >> >> There are some proposed changes that attempt to mitigate this [1], >> [2], [3]. Any one of these changes mitigates the bypass scenario. If >> you don't mind reaching out to me I can share the exact >> situation/details. >> >> [1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html >> [2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html >> [3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html >> >> Thanks, >> -Teddy > > Thanks, > > Sam Thanks, -Teddy _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot