mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* Secure trusted boot mechanism
@ 2017-01-16  8:26 Dold, Wolfram
  2017-01-16  8:33 ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Dold, Wolfram @ 2017-01-16  8:26 UTC (permalink / raw)
  To: barebox

Hi all,
I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or
any other type of verified secure trusted boot?

Thanks, Wolfram
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism
  2017-01-16  8:26 Secure trusted boot mechanism Dold, Wolfram
@ 2017-01-16  8:33 ` Sascha Hauer
  2017-01-16  9:22   ` Dold, Wolfram
  0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2017-01-16  8:33 UTC (permalink / raw)
  To: Dold, Wolfram; +Cc: barebox

Hi Wolfram,

On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote:
> Hi all,
> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or
> any other type of verified secure trusted boot?

Yes, barebox does support FIT images.
It also supports HAB on i.MX machines, although this is only for
starting trusted bootloaders from the ROM, not for starting trusted
kernels.

Sascha

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism
  2017-01-16  8:33 ` Sascha Hauer
@ 2017-01-16  9:22   ` Dold, Wolfram
  2017-01-16  9:40     ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Dold, Wolfram @ 2017-01-16  9:22 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox

Hi Sascha,
thanks for your fast reply.

On 16.01.2017 09:33, Sascha Hauer wrote:
> Hi Wolfram,
> 
> On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote:
>> Hi all,
>> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or
>> any other type of verified secure trusted boot?
> 
> Yes, barebox does support FIT images.
> It also supports HAB on i.MX machines, although this is only for
> starting trusted bootloaders from the ROM, not for starting trusted
> kernels.
We have an TI AM335x Machine. As I understood the only way in such an environment to boot a trusted kernel is FIT?
What we wnat to do is to prevent the device from being hijacked.
Do you know another way than FIT to do that?
Is there any documentation available regarding barebox and FIT?

Wolfram
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism
  2017-01-16  9:22   ` Dold, Wolfram
@ 2017-01-16  9:40     ` Sascha Hauer
  0 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2017-01-16  9:40 UTC (permalink / raw)
  To: Dold, Wolfram; +Cc: barebox

On Mon, Jan 16, 2017 at 09:22:57AM +0000, Dold, Wolfram wrote:
> Hi Sascha,
> thanks for your fast reply.
> 
> On 16.01.2017 09:33, Sascha Hauer wrote:
> > Hi Wolfram,
> > 
> > On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote:
> >> Hi all,
> >> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or
> >> any other type of verified secure trusted boot?
> > 
> > Yes, barebox does support FIT images.
> > It also supports HAB on i.MX machines, although this is only for
> > starting trusted bootloaders from the ROM, not for starting trusted
> > kernels.
> We have an TI AM335x Machine. As I understood the only way in such an environment to boot a trusted kernel is FIT?

Yes.

Of course you have to make sure that the Boot ROM only boots trusted
bootloaders. I don't know what the AM335x offers here to do that.

> What we wnat to do is to prevent the device from being hijacked.
> Do you know another way than FIT to do that?

No, at least not with barebox (or U-Boot).

> Is there any documentation available regarding barebox and FIT?

Not really, no. Support is similar to U-Boot though. You have to use
mkimage on a device tree blob describing a FIT image. Additionally
you have to put a public key into the device tree to give barebox
something to verify against. If you decide to give it a try I can guide
you through and in the end we can generate documention from this for the
next one.

Sascha

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-16  9:41 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-16  8:26 Secure trusted boot mechanism Dold, Wolfram
2017-01-16  8:33 ` Sascha Hauer
2017-01-16  9:22   ` Dold, Wolfram
2017-01-16  9:40     ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox