secure_boot/SIGNED_ON_UPDATE_NO_SECURE_BOOT: Only the first position of signature blocks is used to verify any update

2025-09-30 19:19:21 +00:00 · 2021-03-23 19:45:17 +08:00
parent aff0235e47
commit 7f40717eb2
3 changed files with 14 additions and 3 deletions
--- a/docs/en/security/secure-boot-v2.rst
+++ b/docs/en/security/secure-boot-v2.rst
@@ -337,7 +337,7 @@ This may be desirable in cases where the delay of Secure Boot verification on st

 In this mode, any public key which is present in the signature block of the currently running app will be used to verify the signature of a newly updated app. (The signature on the running app isn't verified during the update process, it's assumed to be valid.) In this way the system creates a chain of trust from the running app to the newly updated app.

-For this reason, it's essential that the initial app flashed to the device is also signed. A check is run on app startup and the app will abort if no signatures are found. This is to try and prevent a situation where no update is possible. Note again that, unlike hardware Secure Boot V2, the signature of the running app isn't verified on boot. The system only checks that at least one public key can be found there, in order to not prevent an update.
+For this reason, it's essential that the initial app flashed to the device is also signed. A check is run on app startup and the app will abort if no signatures are found. This is to try and prevent a situation where no update is possible. The app should have only one valid signature block in the first position. Note again that, unlike hardware Secure Boot V2, the signature of the running app isn't verified on boot.The system only verifies a signature block in the first position and ignores the other (2) appended signatures.

 .. note::