On 25/06/2020 17.51, Thirupathaiah Annapureddy wrote:
Currently Verified Boot fails if there is a signature verification failure using required key in U-boot DTB. This patch adds support for multiple required keys. This means if verified boot passes with one of the required keys, u-boot will continue the OS hand off.
There was a prior attempt to resolve this with the following patch: https://lists.denx.de/pipermail/u-boot/2019-April/366047.html The above patch was failing "make tests".
Signed-off-by: Thirupathaiah Annapureddy thiruan@linux.microsoft.com
Hi Thirupathaiah
This is something I'm quite interested in - see https://lists.denx.de/pipermail/u-boot/2020-January/396629.html . I just never got around to follow up on it due to other tasks. As Simon points out, the policy as to whether one or all (or some other choice) required keys must have signed the image needs to live in the .dtb.
I'd appreciate it if you could cc me on subsequent revisions.
Thanks, Rasmus