[PATCH] image: Control FIT signature verification at runtime
Andrew Jeffery
andrew at aj.id.au
Wed Feb 9 08:55:16 AEDT 2022
On Mon, 7 Feb 2022, at 11:37, ChiaWei Wang wrote:
> Hi Andrew,
>
> I am curious about the usage scenario.
> Is the runtime control required for production release?
Yes.
> As this control acts like a backdoor to bypass the chain-of-trust.
Right, just as strap pin controlling the SB ROM in the 2600 allows bypass.
It's just another one of these affecting a different boot stage.
> If it is for debugging/development purposes, should we encourage the
> use of unsigned images under RD environments?
> Beyond this, I have no concern as the patch provides more flexibility.
>
>> From: Andrew Jeffery <andrew at aj.id.au>
>> Sent: Monday, January 31, 2022 11:42 AM
>>
>> Some platform designs include support for disabling secure-boot via a jumper
>> on the board. Sometimes this control can be separate from the mechanism
>> enabling the root-of-trust for the platform. Add support for this latter scenario
>> by allowing boards to implement board_fit_image_require_verfied(), which is
>> then invoked in the usual FIT verification paths.
>>
>> Signed-off-by: Andrew Jeffery <andrew at aj.id.au>
>> ---
>> Hi,
>>
>> This patch is extracted from and motivated by a series adding run-time control
>> of FIT signature verification to u-boot in OpenBMC:
>>
>> https://lore.kernel.org/openbmc/20220131012538.73021-1-andrew@aj.id.au/
>>
>> Unfortunately the OpenBMC u-boot tree is quite a way behind on tracking
>> upstream and contains a bunch of out-of-tree work as well. As such I'm looking
>> to upstream the couple of changes that make sense against master.
>>
>> Please take a look!
>>
>> Andrew
>>
>> boot/Kconfig | 8 ++++++++
>> boot/image-fit.c | 21 +++++++++++++++++---- include/image.h | 9
>> +++++++++
>> 3 files changed, 34 insertions(+), 4 deletions(-)
>>
>> diff --git a/boot/Kconfig b/boot/Kconfig index c8d5906cd304..ec413151fd5a
>> 100644
>> --- a/boot/Kconfig
>> +++ b/boot/Kconfig
>> @@ -78,6 +78,14 @@ config FIT_SIGNATURE
>> format support in this case, enable it using
>> CONFIG_LEGACY_IMAGE_FORMAT.
>>
>> +if FIT_SIGNATURE
>> +config FIT_RUNTIME_SIGNATURE
>> + bool "Control verification of FIT uImages at runtime"
>> + help
>> + This option allows board support to disable verification of
>> + signatures at runtime, for example through the state of a GPIO.
>> +endif # FIT_SIGNATURE
>> +
>
> Using "depends on" might be preferred for Kconfig dependency.
Yes, that's probably better.
Thanks for taking a look.
Andrew
More information about the openbmc
mailing list