On 16.09.20 14:05, Joakim Tjernlund wrote: > On Wed, 2020-09-16 at 13:55 +0200, Heinrich Schuchardt wrote: >> On 16.09.20 13:40, Joakim Tjernlund wrote: >>> On Wed, 2020-09-16 at 13:14 +0200, Heinrich Schuchardt wrote: >>>> CAUTION: This email originated from outside of the organization. Do not >>>> click links or open attachments unless you recognize the sender and know >>>> the content is safe. >>>> >>>> >>>> On 16.09.20 10:13, AKASHI Takahiro wrote: >>>>> On Wed, Sep 16, 2020 at 01:19:03AM +0200, Heinrich Schuchardt wrote: >>>>>> On 9/11/20 7:26 PM, Andrii Voloshyn wrote: >>>>>>> Hi there, >>>>>>> >>>>>>> Does U-boot take into account certificate expiration date when >>>>>>> verifying signed images in FIT? In other words, is date stored along >>>>>>> with the public key in DTB file? >>>>>>> >>>>>>> Cheers, >>>>>>> Andy >>>>>>> >>>>>> >>>>>> Hello Philippe, >>>>>> >>>>>> looking at padding_pkcs_15_verify() in lib/rsa/rsa-verify.c I cannot >>>>>> find a comparison of the date on which an image was signed with the >>>>>> expiry date of the certificate. Shouldn't there be a check? Or did I >>>>>> simply look into the wrong function? >>>>> >>>>> I think Simon is the right person to answer this question, but >>>>> >>>>> as far as I know, we don't have any device tree property for the >>>>> expiration >>>>> date of a public key. See doc/uImage.FIT/signature.txt. >>>> >>>> Yes, the problem starts with mkimage not writing the dates available in >>>> the X509 certificate into the device tree. >>>> >>>> The dates are accessible via the X509_get0_notBefore() and >>>> X509_get0_notAfter() functions of the OpenSSL library. >>>> >>>> >>>> Takahiro, could you, please, also look at the UEFI secure boot >>>> implementation in U-Boot. EDK2 validates the dates via the embedded >>>> OpenSSL library in >>>> CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_vfy.c, function >>>> verify_chain(). We should not do less. >>> >>> Does that mean that verified boot stops/fails when the date expires ? >>> How do you guarantee that the device has the correct time ? >>> >>> Jocke >>> >> >> We talking of the validity time range of the public key and the date of >> signature of the intermediate certificates and the loaded image. No RTC > > OK, but still: will an invalid time range then stop booting ? > >
If you use a certificate that is valid until 2019 to sign an image or an intermediate certificate in 2020, the image must not be loaded. Best regards Heinrich