I've seen a lot of speculation as to what needs to be signed and what doesn't, so I'd like to put my thoughts down, because I think that I can at least answer
that question.
phatd checks signatures on the following files:
- exec.ini [i believe]
- all of the players it runs out of exec.ini
- pkeys2.e
- /dos/nmp3
- stuff in the plugins directory that it runs [i believe]
- /dos/aadec
- /dos/hdparm
- playlists it loads
51d verifies the following signatures:
- firmware.pac
- boot.pac
- boot5.pac
- hdparm
- progpld
- blank.bif
- prog.bif
- anything which it would then run due to a SHELL directive
- swgrli
- some other file, in a function called "check_replacement_prog"
That leaves the following unaccounted for (ie, with signatures, but I can't find anything that checks them):
- 51d
- linux
- phatd
- pkeysa
- ramdisk
- rc.sh
The keys to verify those signatures are
presumably in pkeys2.e.
Linux is not verifying any signatures; neither is busybox. You can confirm this yourself by checking the phatnoise-provided sources:
http://unix.phatnoise.com/src/linux-2.4.18-rmk3-crypt1-20041101.tar.gzhttp://unix.phatnoise.com/src/busybox-0.52-pn1.tar.gzNow, this presumably means that all of those signatues are being verified by the boot ROM, and being verified using a key contained in the boot rom itself -- otherwise, we could just stick our own key in pkey2 and resign all of the other files. (I'm still working on finding a way to use their signatures to verify their own binaries, so we can prove they are real signatures).
(someday, I'll edit this with a real diagram...)
Ben
