mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH] bootm: change default verification mode from hash to available
@ 2025-02-14 15:46 Ahmad Fatoum
  2025-02-17  7:39 ` Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2025-02-14 15:46 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

The default of global.bootm.verify=hash means that barebox will refuse
to boot images without hashes, but won't bother verifying the signature.

For verified boot setups, this parameter needs to be set to signature,
preferably enforced via CONFIG_BOOTM_FORCE_SIGNED_IMAGES.

For everything else, it's better user experience if barebox would just
verify what's available instead of refusing to boot images without hashes,
like the image.fit that Linux can now generate as part of its build.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/bootm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/bootm.c b/common/bootm.c
index 80905d4cf1ce..dd9ba2eae3b2 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -87,7 +87,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
 	bootm_dryrun = data->dryrun;
 }
 
-static enum bootm_verify bootm_verify_mode = BOOTM_VERIFY_HASH;
+static enum bootm_verify bootm_verify_mode = BOOTM_VERIFY_AVAILABLE;
 
 enum bootm_verify bootm_get_verify_mode(void)
 {
-- 
2.39.5




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-02-17  7:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-14 15:46 [PATCH] bootm: change default verification mode from hash to available Ahmad Fatoum
2025-02-17  7:39 ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox