[PATCH] image: Control FIT signature verification at runtime

ChiaWei Wang chiawei_wang at aspeedtech.com
Mon Feb 7 12:07:25 AEDT 2022


Hi Andrew,

I am curious about the usage scenario.
Is the runtime control required for production release?
As this control acts like a backdoor to bypass the chain-of-trust.
If it is for debugging/development purposes, should we encourage the use of unsigned images under RD environments?
Beyond this, I have no concern as the patch provides more flexibility.

> From: Andrew Jeffery <andrew at aj.id.au>
> Sent: Monday, January 31, 2022 11:42 AM
> 
> Some platform designs include support for disabling secure-boot via a jumper
> on the board. Sometimes this control can be separate from the mechanism
> enabling the root-of-trust for the platform. Add support for this latter scenario
> by allowing boards to implement board_fit_image_require_verfied(), which is
> then invoked in the usual FIT verification paths.
> 
> Signed-off-by: Andrew Jeffery <andrew at aj.id.au>
> ---
> Hi,
> 
> This patch is extracted from and motivated by a series adding run-time control
> of FIT signature verification to u-boot in OpenBMC:
> 
> https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
> 
> Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking
> upstream and contains a bunch of out-of-tree work as well. As such I'm looking
> to upstream the couple of changes that make sense against master.
> 
> Please take a look!
> 
> Andrew
> 
>  boot/Kconfig     |  8 ++++++++
>  boot/image-fit.c | 21 +++++++++++++++++----  include/image.h  |  9
> +++++++++
>  3 files changed, 34 insertions(+), 4 deletions(-)
> 
> diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a
> 100644
> --- a/boot/Kconfig
> +++ b/boot/Kconfig
> @@ -78,6 +78,14 @@ config FIT_SIGNATURE
>  	  format support in this case, enable it using
>  	  CONFIG_LEGACY_IMAGE_FORMAT.
> 
> +if FIT_SIGNATURE
> +config FIT_RUNTIME_SIGNATURE
> +	bool "Control verification of FIT uImages at runtime"
> +	help
> +	  This option allows board support to disable verification of
> +	  signatures at runtime, for example through the state of a GPIO.
> +endif # FIT_SIGNATURE
> +

Using "depends on" might be preferred for Kconfig dependency.

Regards,
Chiawei


More information about the openbmc mailing list