From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: "Jan Lübbe" <jlu@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [RFC 2/4] Add rsa support
Date: Tue, 17 Mar 2015 13:39:55 +0100 [thread overview]
Message-ID: <20150317123955.GR26127@ns203013.ovh.net> (raw)
In-Reply-To: <1426594190.3330.173.camel@pengutronix.de>
On 13:09 Tue 17 Mar , Jan Lübbe wrote:
> Hi Jean-Christophe,
>
> On Di, 2015-03-17 at 11:48 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > Could you explain your image format in a bit more detail? How your
> > > intend to defend against a mix-and-match attack?
> >
> > One of the format we are using can only be one configure signed or/and
> > encrypted so no mix-and-match attack
>
> Sorry, it's still not clear to me. Do you mean you would use FIT in that
> case (it supports signed configurations)? Or do you mean that you are
> using several formats, one of which uses signed/encrypted configurations
> of kernel/initramfs/dt?
yes sevral format FIT is just one of them
>
> I want to understand how your image formats would be used in the larger
> context of a BSP or distribution. Please describe which image formats
> you want to support (in addition to FIT). How are they structured? How
> are they generated? Are they already supported by other software?
Today we use a bpk formoat
in bpk format you can store different data for each hw_id, each data have a
specific type.
we add a new type for the signature.
we do a sha512 of the other data of one hw_id and signed it with a rsa4096
we use 1 unique rsa key per HW_ID
as soon as one of the file of a specific hw_id is open we check the signature
The code is no public yet but this is handled at FS level
and we allow only to open data that have been verified or decrypted if we use
AES
Best Regards,
J.
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2015-03-17 12:40 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-12 14:39 [RFC 0/4] FIT Support Jan Luebbe
2015-03-12 14:39 ` [RFC 1/4] digest: Make filename arguments const Jan Luebbe
2015-03-13 7:40 ` Sascha Hauer
2015-03-12 14:39 ` [RFC 2/4] Add rsa support Jan Luebbe
2015-03-12 17:47 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 9:35 ` Jan Lübbe
2015-03-13 9:56 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:06 ` Sascha Hauer
2015-03-13 10:12 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:22 ` Jan Lübbe
2015-03-13 10:26 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:10 ` Jan Lübbe
2015-03-13 10:25 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:43 ` Jan Lübbe
2015-03-13 15:49 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:00 ` Jan Lübbe
2015-03-16 10:27 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 11:25 ` Jan Lübbe
2015-03-16 11:33 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 15:42 ` Jan Lübbe
2015-03-17 10:48 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-17 12:09 ` Jan Lübbe
2015-03-17 12:39 ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2015-03-17 12:57 ` Jan Lübbe
2015-03-12 14:39 ` [RFC 3/4] FIT: add FIT image support Jan Luebbe
2015-03-12 18:19 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 9:28 ` Jan Lübbe
2015-03-13 10:05 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:21 ` Jan Lübbe
2015-03-13 14:28 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 15:41 ` Jan Lübbe
2015-03-13 16:08 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:19 ` Jan Lübbe
2015-03-16 11:14 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 12:08 ` Jan Lübbe
2015-03-16 12:19 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 13:28 ` Jan Lübbe
2015-03-16 13:51 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 14:31 ` Jan Lübbe
2015-03-16 14:40 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 14:50 ` Jan Lübbe
2015-03-13 11:33 ` Marc Kleine-Budde
2015-03-13 15:54 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 16:06 ` Marc Kleine-Budde
2015-03-13 17:00 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:04 ` Jan Lübbe
2015-03-16 10:28 ` Jean-Christophe PLAGNIOL-VILLARD
2015-12-29 10:18 ` Yegor Yefremov
2015-03-12 14:39 ` [RFC 4/4] FIT: add test config and data [do not merge] Jan Luebbe
2015-03-12 14:51 ` [RFC] digest: Add enum Jan Luebbe
2015-03-12 17:50 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 9:54 ` Jan Lübbe
2015-03-13 10:10 ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 18:50 ` Robert Schwebel
2015-11-11 11:39 ` [RFC 0/4] FIT Support Yegor Yefremov
2015-11-13 11:35 ` Antony Pavlov
2015-11-13 12:54 ` Sascha Hauer
2015-12-29 8:10 ` Yegor Yefremov
2016-01-05 8:11 ` Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317123955.GR26127@ns203013.ovh.net \
--to=plagnioj@jcrosoft.com \
--cc=barebox@lists.infradead.org \
--cc=jlu@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox