[RFC 3/4] FIT: add FIT image support

Jan Lübbe jlu at pengutronix.de
Mon Mar 16 07:50:18 PDT 2015


On Mo, 2015-03-16 at 15:40 +0100, Jean-Christophe PLAGNIOL-VILLARD
wrote:
> On 15:31 Mon 16 Mar     , Jan Lübbe wrote:
> > (The following depends on prohibiting any unauthenticated access to the
> > barebox console.)
> > 
> > If you just use a chain of signed code like with HAB on i.MX, every cert
> > is verified by the previous step (up to the SRK table hash), so there is
> > no need to additionally protect certs against modification. Any modified
> > cert would result in a verification error. In this setup there is no
> > secret information on the device at all.
> > 
> > When doing this without support from the SoC's ROM code, you could store
> > barebox (with compiled-in master public key(s)) in RO flash. Against an
> > attacker without physical access, this results in the same security
> > properties. You couldn't update the RO barebox, tough (only boot another
> > one second stage).
> 
> I agree with you I said the same
> 
> my key point is if we do allow console access we need be sure at 100% that
> they can not tempered with the trusted key in RAM and barebox binary and
> malloc space

Yes. We would also need to disallow access to devices and non-verifying
boot commands.

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |




More information about the barebox mailing list