[PATCH] i.MX: hab: write srk lock with hab command
Fabian Pflug
f.pflug at pengutronix.de
Fri Mar 6 02:20:12 PST 2026
The write_srk_hash functions already support the flag to write the SRK
lock, but it is never used in barebox. To prevent an attacker from
calculating an SRK hash that has the same bits set as the current SRK
hash, but with maybe more, we lock the SRK hash to prevent turning bits.
Writing the lock twice will probably result in unusable garbage and the
hab command itself already is written in a way to write the complete
hash and not parts of it.
Signed-off-by: Fabian Pflug <f.pflug at pengutronix.de>
---
commands/hab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/commands/hab.c b/commands/hab.c
index 8ae943a4c8..b8ef770066 100644
--- a/commands/hab.c
+++ b/commands/hab.c
@@ -14,7 +14,7 @@ static int do_hab(int argc, char *argv[])
{
int opt, ret, i;
char *srkhashfile = NULL, *srkhash = NULL;
- unsigned flags = 0;
+ unsigned flags = IMX_SRK_HASH_WRITE_LOCK;
u8 srk[SRK_HASH_SIZE];
int lockdown = 0, info = 0;
--
2.47.3
More information about the barebox
mailing list