From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iex9b-0003fd-JH for barebox@lists.infradead.org; Wed, 11 Dec 2019 08:15:29 +0000 Date: Wed, 11 Dec 2019 09:15:25 +0100 From: Sascha Hauer Message-ID: <20191211081525.d5vpz2naqlgrf2wv@pengutronix.de> References: <1575990387-9905-1-git-send-email-m.otto@phytec.de> <20191210152149.eymit4nvxa2prbzf@pengutronix.de> <71fdd107-c88e-d605-44a8-92701eef926d@phytec.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <71fdd107-c88e-d605-44a8-92701eef926d@phytec.de> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig To: Maik Otto Cc: barebox@lists.infradead.org On Wed, Dec 11, 2019 at 08:57:45AM +0100, Maik Otto wrote: > Hi Sascha, > = > in my opinion it is better to have it configurable, because ther are > different use cases and security requirements. > i found the problem by creating=A0 a sd-card \emmc image with wic.=A0 The > mbr, the partition table and bootloader became be signed at barebox > build and wic changes > the partition table at the end of the build process. Then the sd card > image could not boot , because the signature was wrong. yeah secure boot > works :-) > the highest protection you have, when mbr and partition table is signed > with the bootloader, but it is not always necessary. But in which cases is it really necessary? I can't think of any. The mbr and partition table are not evaluated by the ROM code, hence they do not need to be signed for HAB. The images generated by the build system all do not have a partition table included, so basically we are currently enforcing no partition table at all which is just not useful. I think the current way of including the first KiB in signed area comes from the fact that we started doing HAB on a NAND device which doesn't have a partition table. Other projects we are currently doing use eMMC where we use the boot partitions, again no MBR or partition table. If we had started on SD cards, we wouldn't have included the partition table in the signature and also would never have thought it would be a good idea to do so. Regards Sascha -- = Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox