diff options
author | Simon Glass <sjg@chromium.org> | 2013-06-13 15:10:09 -0700 |
---|---|---|
committer | Tom Rini <trini@ti.com> | 2013-06-26 10:18:56 -0400 |
commit | 4d0985295bbb50a952f4312c0a818cd89b8ee7aa (patch) | |
tree | 44414eb8dfd6309ba56a21a8d8982a5d8f938f2b /doc/uImage.FIT/sign-configs.its | |
parent | 3e06cd1f97792b4bc3882de1ac99f031fb0eaa80 (diff) |
image: Add support for signing of FIT configurations
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).
Add support for signing of FIT configurations using the libfdt's region
support.
Please see doc/uImage.FIT/signature.txt for more information.
Signed-off-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'doc/uImage.FIT/sign-configs.its')
-rw-r--r-- | doc/uImage.FIT/sign-configs.its | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/doc/uImage.FIT/sign-configs.its b/doc/uImage.FIT/sign-configs.its new file mode 100644 index 00000000000..3c17f040de0 --- /dev/null +++ b/doc/uImage.FIT/sign-configs.its @@ -0,0 +1,45 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel@1 { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "lzo"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash@1 { + algo = "sha1"; + }; + }; + fdt@1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash@1 { + algo = "sha1"; + }; + }; + }; + configurations { + default = "conf@1"; + conf@1 { + kernel = "kernel@1"; + fdt = "fdt@1"; + signature@1 { + algo = "sha1,rsa2048"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; |