On Mo, 2015-03-16 at 15:40 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote: > On 15:31 Mon 16 Mar , Jan Lübbe wrote: > > (The following depends on prohibiting any unauthenticated access to the > > barebox console.) > > > > If you just use a chain of signed code like with HAB on i.MX, every cert > > is verified by the previous step (up to the SRK table hash), so there is > > no need to additionally protect certs against modification. Any modified > > cert would result in a verification error. In this setup there is no > > secret information on the device at all. > > > > When doing this without support from the SoC's ROM code, you could store > > barebox (with compiled-in master public key(s)) in RO flash. Against an > > attacker without physical access, this results in the same security > > properties. You couldn't update the RO barebox, tough (only boot another > > one second stage). > > I agree with you I said the same > > my key point is if we do allow console access we need be sure at 100% that > they can not tempered with the trusted key in RAM and barebox binary and > malloc space Yes. We would also need to disallow access to devices and non-verifying boot commands. Regards, Jan -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
