On 03/13/2015 11:05 AM, Jean-Christophe PLAGNIOL-VILLARD wrote: > On 10:28 Fri 13 Mar , Jan Lübbe wrote: >> On Do, 2015-03-12 at 19:19 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote: >>> please do not send a new version except for fix >>> >>> I'm going to re-integrate it with the keystore & co >> >> Could you describe your keystore design? > > I'll send the patch series soon > > code is better than 1000s of words > > with DER support and the fit >> >>> and sha1,rsa2048 is considered weak in term of security >>> and worse md4/md5 >>> >>> for barebox I would only use >>> at least sha256 with rs2048 or sha512 with rsa4096 >> >> Yes, of course. These were only used as an example and it's trivial to >> switch to other hash algos or RSA key sizes. Also, the FIT format can >> easily be extended to support ECC/Curve25519. > > very slow vs rsa, but as we will use a generic framework we will just need to > add the algo > > if you can break rsa4096, the chance you can break ECC are high too If you want to open the box, today you would probably not break rsa2048/sha1 (unless you have huge calculation power) but look for implementation weaknesses, like bugs or side channel attacks. >> In some cases, where the SoC's ROM code only supports RSA2048 with SHA1, >> using stronger settings in Barebox doesn't increase security. So there >> we want to use the same settings as the ROM code. > > agreed but I refuse to allow it unless we have no choice > and emit a warning > > and even I'll prefer to use stonger, yes this will increase the security. > As a secure boot is as strong as it's weak link > > but this will not reduce it either Adding unneeded complexity might not the best move here. Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox