From patchwork Wed Apr 11 23:34:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Schmoller X-Patchwork-Id: 897428 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=xes-inc.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 40M0k42v2yz9rxp for ; Thu, 12 Apr 2018 09:34:19 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id 9008BC21D4A; Wed, 11 Apr 2018 23:34:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 37A20C21C6A; Wed, 11 Apr 2018 23:34:12 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 5ADD3C21C2F; Wed, 11 Apr 2018 23:34:10 +0000 (UTC) Received: from mail.xes-mad.com (xes-mad.com [216.165.139.220]) by lists.denx.de (Postfix) with ESMTP id 1B54CC21C2C for ; Wed, 11 Apr 2018 23:34:09 +0000 (UTC) Received: from zimbra.xes-mad.com (zimbra.xes-mad.com [10.52.0.127]) by mail.xes-mad.com (Postfix) with ESMTP id 13BA520261 for ; Wed, 11 Apr 2018 18:34:08 -0500 (CDT) Date: Wed, 11 Apr 2018 18:34:07 -0500 (CDT) From: John Schmoller To: u-boot Message-ID: <789096491.246388.1523489647978.JavaMail.zimbra@xes-inc.com> MIME-Version: 1.0 X-Originating-IP: [10.52.0.127] X-Mailer: Zimbra 8.7.5_GA_1764 (ZimbraWebClient - GC64 (Linux)/8.7.5_GA_1764) Thread-Index: O/l7Z4u5L7eqIHqhjxzSfbmpn9PpjA== Thread-Topic: RSA Signed images/configs issue Subject: [U-Boot] RSA Signed images/configs issue X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Hello all, I've been playing around with signed FIT images and I found some unexpected behavior. I was hoping to get some input on whether this behaves as expected or whether there's an issue that needs resolving. I have a board where I am attempting to sign both the config and image nodes of a FIT image. I am using two separate keys, one to sign the config, one the images. I am using mkimage to set these keys as required. I have found that if I require config.key for configs and image.key for images, I boot successfully. But if I have U-Boot require the same keys but sign my config node with image.key, this also boots, but prints RSA failed to verify: -22 This seems like unintended behavior to me. If I have config.key as the required key for configs, booting should not succeed if I have my image signed with another valid key. If I'm thinking about this correctly, it would mean only one key would need to be compromised to infiltrate an image where multiple keys should be required. Can someone validate my thinking, or explain what I'm doing/thinking wrong? The patch for this particular issue, if indeed it is an issue, is fairly simple. Thanks, John diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 0d548f8..2e7c226 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -230,8 +230,7 @@ int rsa_verify(struct image_sign_info *info, if (info->required_keynode != -1) { ret = rsa_verify_with_keynode(info, hash, sig, sig_len, info->required_keynode); - if (!ret) - return ret; + return ret; } /* Look for a key that matches our hint */