From patchwork Wed May 30 21:31:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Voss X-Patchwork-Id: 923038 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 40x3mq5wNNz9s0q for ; Thu, 31 May 2018 07:35:54 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id 07520C21DFD; Wed, 30 May 2018 21:35:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 656D8C21C57; Wed, 30 May 2018 21:35:42 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 5A4C4C21C50; Wed, 30 May 2018 21:31:51 +0000 (UTC) Received: from da1vs02.rockwellcollins.com (da1vs02.rockwellcollins.com [205.175.227.29]) by lists.denx.de (Postfix) with ESMTPS id 95431C21C3F for ; Wed, 30 May 2018 21:31:50 +0000 (UTC) Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 30 May 2018 16:31:48 -0500 X-Received: from crulclnt002.rockwellcollins.com (crulclnt002.rockwellcollins.com [131.199.101.113]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id A2F7820085; Wed, 30 May 2018 16:31:48 -0500 (CDT) From: Sam Voss To: u-boot@lists.denx.de Date: Wed, 30 May 2018 16:31:37 -0500 Message-Id: <20180530213137.3290-1-sam.voss@rockwellcollins.com> X-Mailer: git-send-email 2.14.2.746.g8fb8a94 X-Mailman-Approved-At: Wed, 30 May 2018 21:35:40 +0000 Subject: [U-Boot] [PATCH] fit signature: Add fallback of required keys X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Validation of fit image configuration signatures does not seem to do a "fall-back" mechanism as mentioned in doc/uImage.FIT/signature.txt. The current constraints seem to only allow the following: - skipping keys not marked "required" (not attempting to validate with them at all) - checking a key marked required, but if it does not pass the validation entirely fails (no fall-back) This patch keeps the non-required mechanism, however changes the required key logic to check all keys until a key that can validate the configuration is found. If none is found, an error is raised as before and boot is halted. Signed-off-by: Sam Voss --- common/image-sig.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/common/image-sig.c b/common/image-sig.c index 455f2b9629..be1c7bd808 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -446,6 +446,7 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, return 0; } + /* Loop until either a valid key is found or we run out of keys */ fdt_for_each_subnode(noffset, sig_blob, sig_node) { const char *required; int ret; @@ -455,14 +456,20 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, continue; ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, noffset); - if (ret) { - printf("Failed to verify required signature '%s'\n", - fit_get_name(sig_blob, noffset, NULL)); - return ret; + + if (!ret) { // key verified successfully + return 0; } + + printf("Failed to verify required signature with key '%s'\n", + fit_get_name(sig_blob, noffset, NULL), ret); } - return 0; + printf("No keys were able to verify required signature '%s'\n", + sig_node); + + return -1; + } int fit_config_verify(const void *fit, int conf_noffset)