[Bug 1831942] Re: support u-boot Flat Image Tree (FIT) signing support
Andy Whitcroft
apw at canonical.com
Tue Jun 11 11:46:23 UTC 2019
** Description changed:
+ [Impact] the existing mkimage/dumpimage tools are unable to make or dump
+ out the contents of a u-boot FIT image.
+
+ [Test Case] run mkimage with no arguments, note that signing is shown as
+ not enabled.
+
+ [Regression Potential] though this changes the u-boot boot loader
+ package, only the build of the u-boot-utils package contents is
+ modified. This primarily enabled FIT_SIGNATURE support in the
+ configuration before building those tools. The majority of the tools we
+ ship do not have configuration support even and so should not be
+ affected. mkimage et al are not normally used during a
+ kernel/bootloader update and so the risk to a pre-installed system
+ should be low.
+
+ ===
+
We need a mechanism for securely signing Flat Image Tree binaries. This
will be performed in a similar manner to UEFI signing support via a
custom binary upload to launchpad. We will also need a u-boot update to
enable image creation and signing support in mkimage.
** Description changed:
[Impact] the existing mkimage/dumpimage tools are unable to make or dump
out the contents of a u-boot FIT image.
[Test Case] run mkimage with no arguments, note that signing is shown as
not enabled.
[Regression Potential] though this changes the u-boot boot loader
package, only the build of the u-boot-utils package contents is
modified. This primarily enabled FIT_SIGNATURE support in the
configuration before building those tools. The majority of the tools we
ship do not have configuration support even and so should not be
affected. mkimage et al are not normally used during a
kernel/bootloader update and so the risk to a pre-installed system
- should be low.
+ should be low. There is slightly higher risk in the xenial changes as
+ the enablement has enabled some additional tool builds, but none of
+ those are shipped in the resulting binaries.
===
We need a mechanism for securely signing Flat Image Tree binaries. This
will be performed in a similar manner to UEFI signing support via a
custom binary upload to launchpad. We will also need a u-boot update to
enable image creation and signing support in mkimage.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to u-boot in Ubuntu.
https://bugs.launchpad.net/bugs/1831942
Title:
support u-boot Flat Image Tree (FIT) signing support
Status in Launchpad itself:
In Progress
Status in u-boot package in Ubuntu:
In Progress
Status in u-boot source package in Xenial:
In Progress
Status in u-boot source package in Bionic:
In Progress
Status in u-boot source package in Cosmic:
In Progress
Status in u-boot source package in Disco:
In Progress
Status in u-boot source package in Eoan:
In Progress
Bug description:
[Impact] the existing mkimage/dumpimage tools are unable to make or
dump out the contents of a u-boot FIT image.
[Test Case] run mkimage with no arguments, note that signing is shown
as not enabled.
[Regression Potential] though this changes the u-boot boot loader
package, only the build of the u-boot-utils package contents is
modified. This primarily enabled FIT_SIGNATURE support in the
configuration before building those tools. The majority of the tools
we ship do not have configuration support even and so should not be
affected. mkimage et al are not normally used during a
kernel/bootloader update and so the risk to a pre-installed system
should be low. There is slightly higher risk in the xenial changes as
the enablement has enabled some additional tool builds, but none of
those are shipped in the resulting binaries.
===
We need a mechanism for securely signing Flat Image Tree binaries.
This will be performed in a similar manner to UEFI signing support via
a custom binary upload to launchpad. We will also need a u-boot
update to enable image creation and signing support in mkimage.
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1831942/+subscriptions
More information about the foundations-bugs
mailing list