[RFC 3/4] FIT: add FIT image support

Jan Lübbe jlu at pengutronix.de
Mon Mar 16 03:19:22 PDT 2015 

Hi Jean-Christophe,

On Fr, 2015-03-13 at 17:08 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> On 16:41 Fri 13 Mar     , Jan Lübbe wrote:
> > On Fr, 2015-03-13 at 15:28 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > > It's not the job of barebox to define security policies, it must fit
> > > > well into the larger security design, which may require compromises.
> > > 
> > > I disagree, disable by default non secure feature is require to pass
> > > secure boot certification
> > 
> > Is there a specific certification you are targeting?
> 
> yes but can not give details all under NDA, a book of more than 500 pages
> for bootloader/linux/kernel & co

OK, that's unfortunate. Still I'd like to have some documentation on the
overall design of Barebox's verified boot. That doesn't mean you have to
write it all by yourself. ;)

> > How do you intend to handle console access in verified boot mode?
> > Allowing access to md/mw would break any security.
> 
> it's already mainline for month, check password support
> 
> as I put it in production more than 1 years ago
> 
> or simple disable input console all time, the code is here

So currently we have:
1) use password
2) disable console

Later I'd like to have optional support to switch barebox into a
"non-secure" or "developer" mode at runtime, which would make hardware
secrets inaccessible. That could be triggered when a prompt appears or
when booting for a different source (such as USB fastboot).

> the main problem is not console but env you need to drop RW env support
> and use only RO one, except for keyring support where you will a RW env but
> not executable and only accesable by crypto API
> 
> otherwise you need to use a secured digest such as HMAC/CMAC/OMAC support
> to sign the env at runtime and ensure the symetric key is secured
> or encrypt it via aes (did this in the past)

For an upcoming project we'll add HMAC support to the state storage Marc
recently submitted.

> ww may have to get secured malloac with part where the md/mw and any other
> API can not touch only the crypto API
> 
> but this will be for later

Yes.

> I'll send a patch to use the pbkdf2 for password

Nice.

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list