RoT should do local signature validation for bootleby before flashing. #1404
Labels
🤔 design
Forward-looking discussions and proposals
lpc55
Has specific implications for LPC55 processors
robustness
Fixing this would improve robustness of deployed firmware
root-of-trust
security
Fixing this would improve system security
The RoT does not currently perform signature validation before flashing the bootloader.
Instead, it relies on kindness of upper layers to only request flashing of correct images.
Rather than put signature validation in
update_server
, Cliff has suggested staging an image in bootloader reserved flash and having the bootloader or pre-main perform a verification using the same ROM routines use at boot time. In addition to the verification status already passed for Hubris-A and Hubris-B images, the status of the staged image would be passed as well.Details on where update_server would place the image for verification, coordination of the necessary reset to give early FW control for verification, and how that information is passed is TBD.
The control plane does not currently update the bootloader. After this feature is implemented, it would be safer to do so.
Most incorrect installations have been done using faux-mgs by "hand" or through scripts to date.
RFDs 349 and 374 should be updated to reflect the new feature.
The text was updated successfully, but these errors were encountered: