On Mon, 2019-08-05 at 13:00 +0200, Lucas Stach wrote: > Am Montag, den 05.08.2019, 11:23 +0200 schrieb Rouven Czerwinski: > > +config PBL_VERIFY_PIGGY > > + depends on ARM > > Why? What exactly is ARM specific about this mechanism? Currently only the arch/arm/cpu/uncompress.c version implements the piggy verification. > > + bool "Verify piggydata" > > > + help > > > + Use a PBL builtin sha256sum to verify the piggydata before > > > decompression. > > > + WARNING: your board will not boot if a mismatch is detected, > > > enable DEBUG_LL > > > + to see the builtin and calculated hash. > > + This effectively locks a given PBL to the matching main > > barebox. > > Does it make sense to have this as a user-visible option? We want > this > in a very specific use-case, in which case it's selected anyways, so > the user can't break the security model via a wrong configuration. I > don't see any use for piggydata verification outside of this use- > case. > I agree, I'll make this user invisible. Regards, Rouven Czerwinski -- Pengutronix e.K. | | Industrial Linux Solutions | https://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
