[PATCH 1/2] vboot: add support for multiple required keys

25 Jun 2020

Currently Verified Boot fails if there is a signature verification failure
using required key in U-boot DTB. This patch adds support for multiple
required keys. This means if verified boot passes with one of the required
keys, u-boot will continue the OS hand off.
There was a prior attempt to resolve this with the following patch:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".
Signed-off-by: Thirupathaiah Annapureddy thiruan@linux.microsoft.com
---
 common/image-fit-sig.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
index cc1967109e..4d25d4c541 100644
--- a/common/image-fit-sig.c
+++ b/common/image-fit-sig.c
@@ -416,6 +416,8 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 {
    int noffset;
    int sig_node;
+	int verified = 0;
+	int reqd_sigs = 0;
/* Work out what we need to verify */
    sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
@@ -433,15 +435,23 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
    			       NULL);
    	if (!required || strcmp(required, "conf"))
    		continue;
+
+		reqd_sigs++;
+
    	ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
    				    noffset);
    	if (ret) {
    		printf("Failed to verify required signature '%s'\n",
    		       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
+		} else {
+			verified = 1;
+			break;
    	}
    }
+	if (reqd_sigs && !verified)
+		return -EPERM;
+
    return 0;
 }
-- 
2.17.1


    