Validation of fit image configuration signatures does not seem to do a
"fall-back" mechanism as mentioned in doc/uImage.FIT/signature.txt.
The current constraints seem to only allow the following:
- skipping keys not marked "required" (not attempting to validate
with them at all)
- checking a key marked required, but if it does not pass the validation
entirely fails (no fall-back)
This patch keeps the non-required mechanism, however changes the
required key logic to check all keys until a key that can validate the
configuration is found. If none is found, an error is raised as before
and boot is halted.
Signed-off-by: Sam Voss <sam.v...@rockwellcollins.com>
--
v1->v2:
- Fix comment style
- Fix unused argument in printf
- Fix broken printf argument
---
common/image-sig.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/common/image-sig.c b/common/image-sig.c
index 455f2b9629..15073e60e9 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -446,6 +446,7 @@ int fit_config_verify_required_sigs(const void *fit, int
conf_noffset,
return 0;
}
+ /* Loop until either a valid key is found or we run out of keys */
fdt_for_each_subnode(noffset, sig_blob, sig_node) {
const char *required;
int ret;
@@ -455,14 +456,19 @@ int fit_config_verify_required_sigs(const void *fit, int
conf_noffset,
continue;
ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
noffset);
- if (ret) {
- printf("Failed to verify required signature '%s'\n",
- fit_get_name(sig_blob, noffset, NULL));
- return ret;
+
+ if (!ret) { /* key verified successfully */
+ return 0;
}
+
+ printf("Failed to verify required signature with key '%s'\n",
+ fit_get_name(sig_blob, noffset, NULL));
}
- return 0;
+ printf("No keys were able to verify required signature\n");
+
+ return -1;
+
}
int fit_config_verify(const void *fit, int conf_noffset)
--
2.14.2.746.g8fb8a94
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
