Hello all,
I've been playing around with signed FIT images and I found some unexpected
behavior.
I was hoping to get some input on whether this behaves as expected or whether
there's
an issue that needs resolving.
I have a board where I am attempting to sign both the config and image nodes of
a FIT
image. I am using two separate keys, one to sign the config, one the images. I
am using
mkimage to set these keys as required. I have found that if I require
config.key for
configs and image.key for images, I boot successfully. But if I have U-Boot
require the
same keys but sign my config node with image.key, this also boots, but prints
RSA failed to verify: -22
This seems like unintended behavior to me. If I have config.key as the required
key for
configs, booting should not succeed if I have my image signed with another
valid key. If
I'm thinking about this correctly, it would mean only one key would need to be
compromised
to infiltrate an image where multiple keys should be required. Can someone
validate my
thinking, or explain what I'm doing/thinking wrong? The patch for this
particular
issue, if indeed it is an issue, is fairly simple.
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 0d548f8..2e7c226 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -230,8 +230,7 @@ int rsa_verify(struct image_sign_info *info,
if (info->required_keynode != -1) {
ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
info->required_keynode);
- if (!ret)
- return ret;
+ return ret;
}
/* Look for a key that matches our hint */
Thanks,
John
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
