[U-Boot] RSA Signed images/configs issue

[John Schmoller]

Hello all,

I've been playing around with signed FIT images and I found some unexpected behavior.
I was hoping to get some input on whether this behaves as expected or whether there's
an issue that needs resolving.

I have a board where I am attempting to sign both the config and image nodes of a FIT
image.  I am using two separate keys, one to sign the config, one the images. I am using
mkimage to set these keys as required.  I have found that if I require config.key for
configs and image.key for images, I boot successfully.  But if I have U-Boot require the
same keys but sign my config node with image.key, this also boots, but prints

RSA failed to verify: -22

This seems like unintended behavior to me. If I have config.key as the required key for
configs, booting should not succeed if I have my image signed with another valid key. If
I'm thinking about this correctly, it would mean only one key would need to be compromised
to infiltrate an image where multiple keys should be required. Can someone validate my
thinking, or explain what I'm doing/thinking wrong?  The patch for this particular
issue, if indeed it is an issue, is fairly simple.

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 0d548f8..2e7c226 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -230,8 +230,7 @@ int rsa_verify(struct image_sign_info *info,
        if (info->required_keynode != -1) {
                ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
                        info->required_keynode);
-               if (!ret)
-                       return ret;
+               return ret;
        }
 
        /* Look for a key that matches our hint */


Thanks,
John