From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cT3me-0004en-KX for barebox@lists.infradead.org; Mon, 16 Jan 2017 09:41:02 +0000 Date: Mon, 16 Jan 2017 10:40:37 +0100 From: Sascha Hauer Message-ID: <20170116094037.t73xh5z3p2j6uvmr@pengutronix.de> References: <9bb241fd-643b-f0fc-e377-a86c79c552e1@allegion.com> <20170116083349.hvw6iapklok73ll7@pengutronix.de> <3ad4db8b-5686-5b9e-084d-b85b2bacbd57@allegion.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <3ad4db8b-5686-5b9e-084d-b85b2bacbd57@allegion.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: Re: Secure trusted boot mechanism To: "Dold, Wolfram" Cc: "barebox@lists.infradead.org" On Mon, Jan 16, 2017 at 09:22:57AM +0000, Dold, Wolfram wrote: > Hi Sascha, > thanks for your fast reply. > > On 16.01.2017 09:33, Sascha Hauer wrote: > > Hi Wolfram, > > > > On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote: > >> Hi all, > >> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or > >> any other type of verified secure trusted boot? > > > > Yes, barebox does support FIT images. > > It also supports HAB on i.MX machines, although this is only for > > starting trusted bootloaders from the ROM, not for starting trusted > > kernels. > We have an TI AM335x Machine. As I understood the only way in such an environment to boot a trusted kernel is FIT? Yes. Of course you have to make sure that the Boot ROM only boots trusted bootloaders. I don't know what the AM335x offers here to do that. > What we wnat to do is to prevent the device from being hijacked. > Do you know another way than FIT to do that? No, at least not with barebox (or U-Boot). > Is there any documentation available regarding barebox and FIT? Not really, no. Support is similar to U-Boot though. You have to use mkimage on a device tree blob describing a FIT image. Additionally you have to put a public key into the device tree to give barebox something to verify against. If you decide to give it a try I can guide you through and in the end we can generate documention from this for the next one. Sascha -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox