Message ID | 1568815494-24570-3-git-send-email-philippe.reynes@softathome.com |
---|---|
State | Accepted |
Commit | 0772a1f4973031d6a30482cf7610f691b6bc1e6d |
Delegated to: | Simon Glass |
Headers | show |
Series | rsa signature: check that required key is really mandatory | expand |
On Wed, 18 Sep 2019 at 08:05, Philippe Reynes <philippe.reynes@softathome.com> wrote: > > From: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> > > Currently, if image verification with a required key fails, rsa_verify() > code tries to find another key to verify the FIT image. This however, is > not the intended behavior as the documentation says that required keys > "must be verified for the image / configuration to be considered valid". > > This patch fixes the issue by making rsa_verify() return immediately if > the verification of a required key fails. > > Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> > --- > lib/rsa/rsa-verify.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Wed, 18 Sep 2019 at 08:05, Philippe Reynes <philippe.reynes@softathome.com> wrote: > > From: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> > > Currently, if image verification with a required key fails, rsa_verify() > code tries to find another key to verify the FIT image. This however, is > not the intended behavior as the documentation says that required keys > "must be verified for the image / configuration to be considered valid". > > This patch fixes the issue by making rsa_verify() return immediately if > the verification of a required key fails. > > Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@gmail.com> > --- > lib/rsa/rsa-verify.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot-dm/next, thanks!
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 287fcc4..82dc513 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -437,8 +437,7 @@ int rsa_verify(struct image_sign_info *info, if (info->required_keynode != -1) { ret = rsa_verify_with_keynode(info, hash, sig, sig_len, info->required_keynode); - if (!ret) - return ret; + return ret; } /* Look for a key that matches our hint */