[PATCH] image: Control FIT signature verification at runtime

Andrew Jeffery andrew at aj.id.au
Wed Feb 9 08:55:16 AEDT 2022



On Mon, 7 Feb 2022, at 11:37, ChiaWei Wang wrote:
> Hi Andrew,
>
> I am curious about the usage scenario.
> Is the runtime control required for production release?

Yes.

> As this control acts like a backdoor to bypass the chain-of-trust.

Right, just as strap pin controlling the SB ROM in the 2600 allows bypass.

It's just another one of these affecting a different boot stage.

> If it is for debugging/development purposes, should we encourage the 
> use of unsigned images under RD environments?
> Beyond this, I have no concern as the patch provides more flexibility.
>
>> From: Andrew Jeffery <andrew at aj.id.au>
>> Sent: Monday, January 31, 2022 11:42 AM
>> 
>> Some platform designs include support for disabling secure-boot via a jumper
>> on the board. Sometimes this control can be separate from the mechanism
>> enabling the root-of-trust for the platform. Add support for this latter scenario
>> by allowing boards to implement board_fit_image_require_verfied(), which is
>> then invoked in the usual FIT verification paths.
>> 
>> Signed-off-by: Andrew Jeffery <andrew at aj.id.au>
>> ---
>> Hi,
>> 
>> This patch is extracted from and motivated by a series adding run-time control
>> of FIT signature verification to u-boot in OpenBMC:
>> 
>> https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
>> 
>> Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking
>> upstream and contains a bunch of out-of-tree work as well. As such I'm looking
>> to upstream the couple of changes that make sense against master.
>> 
>> Please take a look!
>> 
>> Andrew
>> 
>>  boot/Kconfig     |  8 ++++++++
>>  boot/image-fit.c | 21 +++++++++++++++++----  include/image.h  |  9
>> +++++++++
>>  3 files changed, 34 insertions(+), 4 deletions(-)
>> 
>> diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a
>> 100644
>> --- a/boot/Kconfig
>> +++ b/boot/Kconfig
>> @@ -78,6 +78,14 @@ config FIT_SIGNATURE
>>  	  format support in this case, enable it using
>>  	  CONFIG_LEGACY_IMAGE_FORMAT.
>> 
>> +if FIT_SIGNATURE
>> +config FIT_RUNTIME_SIGNATURE
>> +	bool "Control verification of FIT uImages at runtime"
>> +	help
>> +	  This option allows board support to disable verification of
>> +	  signatures at runtime, for example through the state of a GPIO.
>> +endif # FIT_SIGNATURE
>> +
>
> Using "depends on" might be preferred for Kconfig dependency.

Yes, that's probably better.

Thanks for taking a look.

Andrew


More information about the openbmc mailing list