[U-Boot] [PATCH] fit: skip signature verification if board request

[Simon Glass]

Hi,

On 11 April 2018 at 09:13, Jun Nie <jun.nie at linaro.org> wrote:
> It may be unnecessary to check signature on unlocked board.
> Get the hint from platform specific code to support secure boot
> and non-secure boot with the same binary, so that boot is not
> blocked if board is not locked and has no key for signature
> verification.
>
> Signed-off-by: Jun Nie <jun.nie at linaro.org>
> ---
>  common/image-sig.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/common/image-sig.c b/common/image-sig.c
> index d9f712f..f3d1252 100644
> --- a/common/image-sig.c
> +++ b/common/image-sig.c
> @@ -151,6 +151,11 @@ struct image_region *fit_region_make_list(const void *fit,
>         return region;
>  }
>
> +int __attribute__((weak)) fit_board_skip_sig_verification(void)
> +{
> +       return 0;
> +}
> +
>  static int fit_image_setup_verify(struct image_sign_info *info,
>                 const void *fit, int noffset, int required_keynode,
>                 char **err_msgp)
> @@ -188,6 +193,12 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data,
>         uint8_t *fit_value;
>         int fit_value_len;
>
> +       /* Skip verification if board says that */
> +       if (fit_board_skip_sig_verification()) {
> +               printf("signature check skipped\n");
> +               return 0;
> +       }

Instead of a weak function can you please add a parameter to this
function (perhaps a flags word?) and a add test for this case to the
test?

Regards,
Simon