Validation of fit image configuration signatures does not seem to do a "fall-back" mechanism as mentioned in doc/uImage.FIT/signature.txt.

The current constraints seem to only allow the following:

- skipping keys not marked "required" (not attempting to validate with them at all) - checking a key marked required, but if it does not pass the validation entirely fails (no fall-back)

This patch keeps the non-required mechanism, however changes the required key logic to check all keys until a key that can validate the configuration is found. If none is found, an error is raised as before and boot is halted.

Signed-off-by: Sam Voss sam.voss@rockwellcollins.com

-- v1->v2: - Fix comment style - Fix unused argument in printf - Fix broken printf argument --- common/image-sig.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/common/image-sig.c b/common/image-sig.c index 455f2b9629..15073e60e9 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -446,6 +446,7 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, return 0; }

+ /* Loop until either a valid key is found or we run out of keys */ fdt_for_each_subnode(noffset, sig_blob, sig_node) { const char *required; int ret; @@ -455,14 +456,19 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, continue; ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, noffset); - if (ret) { - printf("Failed to verify required signature '%s'\n", - fit_get_name(sig_blob, noffset, NULL)); - return ret; + + if (!ret) { /* key verified successfully */ + return 0; } + + printf("Failed to verify required signature with key '%s'\n", + fit_get_name(sig_blob, noffset, NULL)); }

- return 0; + printf("No keys were able to verify required signature\n"); + + return -1; + }

int fit_config_verify(const void *fit, int conf_noffset)