Hi Thirupathaiah,
On Mon, 29 Jun 2020 at 11:26, Simon Glass sjg@chromium.org wrote:
Hi Thirupathaiah,
On Thu, 25 Jun 2020 at 09:51, Thirupathaiah Annapureddy thiruan@linux.microsoft.com wrote:
Currently Verified Boot fails if there is a signature verification failure using required key in U-boot DTB. This patch adds support for multiple required keys. This means if verified boot passes with one of the required keys, u-boot will continue the OS hand off.
There was a prior attempt to resolve this with the following patch: https://lists.denx.de/pipermail/u-boot/2019-April/366047.html The above patch was failing "make tests".
Signed-off-by: Thirupathaiah Annapureddy thiruan@linux.microsoft.com
common/image-fit-sig.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
One more thing...this patch is changing the policy.
I think we need a new string property in the DTB alongside the 'required' properly, that indicates whether the image must be signed with all required keys, or just one.
Regards, Simon