[RFC 3/4] FIT: add FIT image support
Jan Lübbe
jlu at pengutronix.de
Mon Mar 16 03:19:22 PDT 2015
Hi Jean-Christophe,
On Fr, 2015-03-13 at 17:08 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> On 16:41 Fri 13 Mar , Jan Lübbe wrote:
> > On Fr, 2015-03-13 at 15:28 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > > It's not the job of barebox to define security policies, it must fit
> > > > well into the larger security design, which may require compromises.
> > >
> > > I disagree, disable by default non secure feature is require to pass
> > > secure boot certification
> >
> > Is there a specific certification you are targeting?
>
> yes but can not give details all under NDA, a book of more than 500 pages
> for bootloader/linux/kernel & co
OK, that's unfortunate. Still I'd like to have some documentation on the
overall design of Barebox's verified boot. That doesn't mean you have to
write it all by yourself. ;)
> > How do you intend to handle console access in verified boot mode?
> > Allowing access to md/mw would break any security.
>
> it's already mainline for month, check password support
>
> as I put it in production more than 1 years ago
>
> or simple disable input console all time, the code is here
So currently we have:
1) use password
2) disable console
Later I'd like to have optional support to switch barebox into a
"non-secure" or "developer" mode at runtime, which would make hardware
secrets inaccessible. That could be triggered when a prompt appears or
when booting for a different source (such as USB fastboot).
> the main problem is not console but env you need to drop RW env support
> and use only RO one, except for keyring support where you will a RW env but
> not executable and only accesable by crypto API
>
> otherwise you need to use a secured digest such as HMAC/CMAC/OMAC support
> to sign the env at runtime and ensure the symetric key is secured
> or encrypt it via aes (did this in the past)
For an upcoming project we'll add HMAC support to the state storage Marc
recently submitted.
> ww may have to get secured malloac with part where the md/mw and any other
> API can not touch only the crypto API
>
> but this will be for later
Yes.
> I'll send a patch to use the pbkdf2 for password
Nice.
Regards,
Jan
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list