* Secure trusted boot mechanism @ 2017-01-16 8:26 Dold, Wolfram 2017-01-16 8:33 ` Sascha Hauer 0 siblings, 1 reply; 4+ messages in thread From: Dold, Wolfram @ 2017-01-16 8:26 UTC (permalink / raw) To: barebox Hi all, I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or any other type of verified secure trusted boot? Thanks, Wolfram _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism 2017-01-16 8:26 Secure trusted boot mechanism Dold, Wolfram @ 2017-01-16 8:33 ` Sascha Hauer 2017-01-16 9:22 ` Dold, Wolfram 0 siblings, 1 reply; 4+ messages in thread From: Sascha Hauer @ 2017-01-16 8:33 UTC (permalink / raw) To: Dold, Wolfram; +Cc: barebox Hi Wolfram, On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote: > Hi all, > I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or > any other type of verified secure trusted boot? Yes, barebox does support FIT images. It also supports HAB on i.MX machines, although this is only for starting trusted bootloaders from the ROM, not for starting trusted kernels. Sascha -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism 2017-01-16 8:33 ` Sascha Hauer @ 2017-01-16 9:22 ` Dold, Wolfram 2017-01-16 9:40 ` Sascha Hauer 0 siblings, 1 reply; 4+ messages in thread From: Dold, Wolfram @ 2017-01-16 9:22 UTC (permalink / raw) To: Sascha Hauer; +Cc: barebox Hi Sascha, thanks for your fast reply. On 16.01.2017 09:33, Sascha Hauer wrote: > Hi Wolfram, > > On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote: >> Hi all, >> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or >> any other type of verified secure trusted boot? > > Yes, barebox does support FIT images. > It also supports HAB on i.MX machines, although this is only for > starting trusted bootloaders from the ROM, not for starting trusted > kernels. We have an TI AM335x Machine. As I understood the only way in such an environment to boot a trusted kernel is FIT? What we wnat to do is to prevent the device from being hijacked. Do you know another way than FIT to do that? Is there any documentation available regarding barebox and FIT? Wolfram _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Secure trusted boot mechanism 2017-01-16 9:22 ` Dold, Wolfram @ 2017-01-16 9:40 ` Sascha Hauer 0 siblings, 0 replies; 4+ messages in thread From: Sascha Hauer @ 2017-01-16 9:40 UTC (permalink / raw) To: Dold, Wolfram; +Cc: barebox On Mon, Jan 16, 2017 at 09:22:57AM +0000, Dold, Wolfram wrote: > Hi Sascha, > thanks for your fast reply. > > On 16.01.2017 09:33, Sascha Hauer wrote: > > Hi Wolfram, > > > > On Mon, Jan 16, 2017 at 08:26:44AM +0000, Dold, Wolfram wrote: > >> Hi all, > >> I wanted to ask if barebox supports any kind of secure boot mechanism like FIT-Image or > >> any other type of verified secure trusted boot? > > > > Yes, barebox does support FIT images. > > It also supports HAB on i.MX machines, although this is only for > > starting trusted bootloaders from the ROM, not for starting trusted > > kernels. > We have an TI AM335x Machine. As I understood the only way in such an environment to boot a trusted kernel is FIT? Yes. Of course you have to make sure that the Boot ROM only boots trusted bootloaders. I don't know what the AM335x offers here to do that. > What we wnat to do is to prevent the device from being hijacked. > Do you know another way than FIT to do that? No, at least not with barebox (or U-Boot). > Is there any documentation available regarding barebox and FIT? Not really, no. Support is similar to U-Boot though. You have to use mkimage on a device tree blob describing a FIT image. Additionally you have to put a public key into the device tree to give barebox something to verify against. If you decide to give it a try I can guide you through and in the end we can generate documention from this for the next one. Sascha -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-16 9:41 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-16 8:26 Secure trusted boot mechanism Dold, Wolfram 2017-01-16 8:33 ` Sascha Hauer 2017-01-16 9:22 ` Dold, Wolfram 2017-01-16 9:40 ` Sascha Hauer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox