AnsweredAssumed Answered

signing boot script

Question asked by Paul Holmquist on Sep 25, 2018

None of the existing workshops that I have access to mention or provide instructions on how to generate a signed boot script.  However, I noticed a reference in Digi U-Boot (branch: v2015.04/maint) source file (ccimx6sbc.h) containing the following snippet:

 

#define CONFIG_BOOTCOMMAND \
    "if run loadscript; then " \
        "setexpr bs_ivt_offset ${filesize} - 0x4020;" \
        "if hab_auth_img ${loadaddr} ${bs_ivt_offset}; then " \
            "source ${loadaddr};" \
        "fi; " \
    "fi;" \

 

Wouldn't this be required to prevent a vulnerability from attacker from modifying the script in non-volatile memory and attempt to start an unsigned kernel uimage?  However, perhaps this is not possible given u-boot was authenticated and therefore can only run if uimage was signed. So perhaps the worst that can happen is device fails to boot kernel.

 

Perhaps this reason there are no workshop instructions for this?

Outcomes