[U-Boot] [PATCH] fit signature: Add fallback of required keys

[Sam Voss]

Validation of fit image configuration signatures does not seem to do a
"fall-back" mechanism as mentioned in doc/uImage.FIT/signature.txt.

The current constraints seem to only allow the following:

- skipping keys not marked "required" (not attempting to validate
  with them at all)
- checking a key marked required, but if it does not pass the validation
  entirely fails (no fall-back)

This patch keeps the non-required mechanism, however changes the
required key logic to check all keys until a key that can validate the
configuration is found. If none is found, an error is raised as before
and boot is halted.

Signed-off-by: Sam Voss <sam.voss at rockwellcollins.com>
---
 common/image-sig.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/common/image-sig.c b/common/image-sig.c
index 455f2b9629..be1c7bd808 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -446,6 +446,7 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 		return 0;
 	}
 
+	/* Loop until either a valid key is found or we run out of keys */
 	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
 		const char *required;
 		int ret;
@@ -455,14 +456,20 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 			continue;
 		ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
 					    noffset);
-		if (ret) {
-			printf("Failed to verify required signature '%s'\n",
-			       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
+
+		if (!ret) { // key verified successfully
+			return 0;
 		}
+
+		printf("Failed to verify required signature with key '%s'\n",
+		       fit_get_name(sig_blob, noffset, NULL), ret);
 	}
 
-	return 0;
+	printf("No keys were able to verify required signature '%s'\n",
+		sig_node);
+
+	return -1;
+
 }
 
 int fit_config_verify(const void *fit, int conf_noffset)
-- 
2.14.2.746.g8fb8a94