@@ -446,6 +446,7 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
return 0;
}
+ /* Loop until either a valid key is found or we run out of keys */
fdt_for_each_subnode(noffset, sig_blob, sig_node) {
const char *required;
int ret;
@@ -455,14 +456,20 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
continue;
ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
noffset);
- if (ret) {
- printf("Failed to verify required signature '%s'\n",
- fit_get_name(sig_blob, noffset, NULL));
- return ret;
+
+ if (!ret) { // key verified successfully
+ return 0;
}
+
+ printf("Failed to verify required signature with key '%s'\n",
+ fit_get_name(sig_blob, noffset, NULL), ret);
}
- return 0;
+ printf("No keys were able to verify required signature '%s'\n",
+ sig_node);
+
+ return -1;
+
}
int fit_config_verify(const void *fit, int conf_noffset)
Validation of fit image configuration signatures does not seem to do a "fall-back" mechanism as mentioned in doc/uImage.FIT/signature.txt. The current constraints seem to only allow the following: - skipping keys not marked "required" (not attempting to validate with them at all) - checking a key marked required, but if it does not pass the validation entirely fails (no fall-back) This patch keeps the non-required mechanism, however changes the required key logic to check all keys until a key that can validate the configuration is found. If none is found, an error is raised as before and boot is halted. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com> --- common/image-sig.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-)