On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpds...@gmail.com> wrote: > > I am looking at enabling verified boot in the v2019.04-rc4 tag of > u-boot. I was pleased when I learned how to embed the public > authentication key in my u-boot device tree, sign my kernel using my > private authentication key, and see u-boot validate the signature on > boot. > > But then I was very surprised to learn that I could still boot an > unsigned image. So I started looking at the code and I found > `fit_image_verify_with_data() in "common/image_fit.c", which does: > > if (IMAGE_ENABLE_VERIFY && > fit_image_verify_required_sigs(fit, image_noffset, data, size, > gd_fdt_blob(), &verify_all)) { > err_msg = "Unable to verify required signature"; > goto error; > } > > /* Process all hash subnodes of the component image node */ > fdt_for_each_subnode(noffset, fit, image_noffset) { > const char *name = fit_get_name(fit, noffset, NULL); > > /* > * Check subnode name, must be equal to "hash". > * Multiple hash nodes require unique unit node > * names, e.g. hash-1, hash-2, etc. > */ > if (!strncmp(name, FIT_HASH_NODENAME, > strlen(FIT_HASH_NODENAME))) { > if (fit_image_check_hash(fit, noffset, data, size, > &err_msg)) > goto error; > puts("+ "); > } else if (IMAGE_ENABLE_VERIFY && verify_all && > !strncmp(name, FIT_SIG_NODENAME, > strlen(FIT_SIG_NODENAME))) { > ret = fit_image_check_sig(fit, noffset, data, > size, -1, &err_msg); > > /* > * Show an indication on failure, but do not return > * an error. Only keys marked 'required' can cause > * an image validation failure. See the call to > * fit_image_verify_required_sigs() above. > */ > if (ret) > puts("- "); > else > puts("+ "); > } > } > > I see that if I create a "required" property in my signature block, > then u-boot will require that the signature match. But if I don't > have that, then it will happily boot an unsigned image (or even one > that doesn't have any signature blocks). > > Am I missing something here? >
Probably... I went round a very similar loop too. You need the required property in the U-Boot DTB, not in the image you're booting. And if you're trying to do this for SPL loading U-Boot you need CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy image support. -- Alex Kiernan _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot