[U-Boot] RSA verify code and required keys
Daniele Alessandrelli
daniele.alessandrelli at gmail.com
Sat Sep 14 10:02:25 UTC 2019
Hi Simon,
On Fri, Sep 13, 2019 at 5:36 PM Simon Glass <sjg at chromium.org> wrote:
>
> Hi Daniele,
>
> >
> > If I understand it correctly, at Line 440 we check if verification
> > with the required key succeeded and if so we return otherwise we
> > continue, trying other keys.
>
> Yes that's my understanding too.
>
> >
> > Is that the intended behavior? Shouldn't the code return in any case
> > (thus making the FIT verification process fail if the image couldn't
> > be verified with the required key)? Or am I missing something?
>
> Yes I think you are right. The documentation says:
>
> - required: If present this indicates that the key must be verified for the
> image / configuration to be considered valid. Only required keys are
> normally verified by the FIT image booting algorithm. Valid values are
> "image" to force verification of all images, and "conf" to force verification
> of the selected configuration (which then relies on hashes in the images to
> verify those).
Thanks for confirming it. I'll prepare a small patch to fix it... that
would be my first U-boot patch :D
>
> The test coverage does not handle that case at present, but it should.
>
I'm afraid I won't have time to fix that in my patch. I had a quick
look at 'test_fit.py' and it looks like there is quite some code to
write to add this test case.
Regards,
Daniele
More information about the U-Boot
mailing list