It may be unnecessary to check signature on unlocked board.
Get the hint from platform specific code to support secure boot
and non-secure boot with the same binary, so that boot is not
blocked if board is not locked and has no key for signature
verification.
Signed-off-by: Jun Nie <jun....@linaro.org>
---
common/image-sig.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/common/image-sig.c b/common/image-sig.c
index d9f712f..f3d1252 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -151,6 +151,11 @@ struct image_region *fit_region_make_list(const void *fit,
return region;
}
+int __attribute__((weak)) fit_board_skip_sig_verification(void)
+{
+ return 0;
+}
+
static int fit_image_setup_verify(struct image_sign_info *info,
const void *fit, int noffset, int required_keynode,
char **err_msgp)
@@ -188,6 +193,12 @@ int fit_image_check_sig(const void *fit, int noffset,
const void *data,
uint8_t *fit_value;
int fit_value_len;
+ /* Skip verification if board says that */
+ if (fit_board_skip_sig_verification()) {
+ printf("signature check skipped\n");
+ return 0;
+ }
+
*err_msgp = NULL;
if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
err_msgp))
@@ -438,6 +449,12 @@ int fit_config_verify_required_sigs(const void *fit, int
conf_noffset,
int noffset;
int sig_node;
+ /* Skip verification if board says that */
+ if (fit_board_skip_sig_verification()) {
+ printf("signature check skipped\n");
+ return 0;
+ }
+
/* Work out what we need to verify */
sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
if (sig_node < 0) {
--
2.7.4
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
