Re: [PATCH v2 10/16] pbl: add sha256 and piggy verification to PBL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2019-08-05 at 13:00 +0200, Lucas Stach wrote:
> Am Montag, den 05.08.2019, 11:23 +0200 schrieb Rouven Czerwinski:
> > +config PBL_VERIFY_PIGGY
> > +	depends on ARM
> 
> Why? What exactly is ARM specific about this mechanism?

Currently only the arch/arm/cpu/uncompress.c version implements the
piggy verification.

> > +	bool "Verify piggydata"
> > > +	help
> > > +	  Use a PBL builtin sha256sum to verify the piggydata before
> > > decompression.
> > > +	  WARNING: your board will not boot if a mismatch is detected,
> > > enable DEBUG_LL
> > > +	  to see the builtin and calculated hash.
> > +	  This effectively locks a given PBL to the matching main
> > barebox.
> 
> Does it make sense to have this as a user-visible option? We want
> this
> in a very specific use-case, in which case it's selected anyways, so
> the user can't break the security model via a wrong configuration. I
> don't see any use for piggydata verification outside of this use-
> case.
> 

I agree, I'll make this user invisible.

Regards,
Rouven Czerwinski
-- 
Pengutronix e.K.                           |            		 |
Industrial Linux Solutions                 | https://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |


_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox



[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux