We still don't now if SecureBoot is enabled (via efuse) on that board. The BSP might provide an u-boot source tree that's able to deal with verified boot but that isn't enough to enforce the chain of trust.
If uboot verifies the kernel but nothing verifies uboot it should be possible to overwrite uboot entirely.
Also we don't know what happens if the kernel signature doesn't match. Since u/NiMa has access to the serial port I would suggest to check:
1. If uboot prompt is available
2. There's no watchdog to trigger a reset on the AP after a few seconds standing at the uboot prompt
3. Try to load a kernel image to ram and jump to it, see what uboot does.
|