On Wed, 2020-09-16 at 13:55 +0200, Heinrich Schuchardt wrote: > On 16.09.20 13:40, Joakim Tjernlund wrote: > > On Wed, 2020-09-16 at 13:14 +0200, Heinrich Schuchardt wrote: > > > CAUTION: This email originated from outside of the organization. Do not > > > click links or open attachments unless you recognize the sender and know > > > the content is safe. > > > > > > > > > On 16.09.20 10:13, AKASHI Takahiro wrote: > > > > On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote: > > > > > On 9/11/20 7:26 PM, Andrii Voloshyn wrote: > > > > > > Hi there, > > > > > > > > > > > > Does U-boot take into account certificate expiration date when > > > > > > verifying signed images in FIT? In other words, is date stored > > > > > > along with the public key in DTB file? > > > > > > > > > > > > Cheers, > > > > > > Andy > > > > > > > > > > > > > > > > Hello Philippe, > > > > > > > > > > looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot > > > > > find a comparison of the date on which an image was signed with the > > > > > expiry date of the certificate. Shouldn't there be a check? Or did I > > > > > simply look into the wrong function? > > > > > > > > I think Simon is the right person to answer this question, but > > > > > > > > as far as I know, we don't have any device tree property for the > > > > expiration > > > > date of a public key. See doc/uImage.FIT/signature.txt. > > > > > > Yes, the problem starts with mkimage not writing the dates available in > > > the X509 certificate into the device tree. > > > > > > The dates are accessible via the X509_get0_notBefore() and > > > X509_get0_notAfter() functions of the OpenSSL library. > > > > > > > > > Takahiro, could you, please, also look at the UEFI secure boot > > > implementation in U-Boot. EDK2 validates the dates via the embedded > > > OpenSSL library in > > > CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function > > > verify_chain(). We should not do less. > > > > Does that mean that verified boot stops/fails when the date expires ? > > How do you guarantee that the device has the correct time ? > > > > Jocke > > > > We talking of the validity time range of the public key and the date of > signature of the intermediate certificates and the loaded image. No RTC
OK, but still: will an invalid time range then stop booting ?