Hi Simon,
Thanks a lot for reviewing the patch.
I would appreciate if you could clarify the following in-line questions:
On 6/29/2020 10:31 AM, Simon Glass wrote:
Hi Thirupathaiah,
On Mon, 29 Jun 2020 at 11:26, Simon Glass sjg@chromium.org wrote:
Hi Thirupathaiah,
On Thu, 25 Jun 2020 at 09:51, Thirupathaiah Annapureddy thiruan@linux.microsoft.com wrote:
Currently Verified Boot fails if there is a signature verification failure using required key in U-boot DTB. This patch adds support for multiple required keys. This means if verified boot passes with one of the required keys, u-boot will continue the OS hand off.
There was a prior attempt to resolve this with the following patch: https://lists.denx.de/pipermail/u-boot/2019-April/366047.html The above patch was failing "make tests".
Signed-off-by: Thirupathaiah Annapureddy thiruan@linux.microsoft.com
common/image-fit-sig.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
One more thing...this patch is changing the policy.
I assume you are referring to the policy of conf signing with all required keys instead of just one. I just wanted to double check.
However I did not see any test in test_vboot.py for verifying this policy. So I thought signing with all required keys is not by design and it is an unintended bug. Could you please clarify on this?
I think we need a new string property in the DTB alongside the 'required' properly, that indicates whether the image must be signed with all required keys, or just one.
Regards, Simon
Best Regards, Thiru