[U-Boot] RSA verify code and required keys

Daniele Alessandrelli daniele.alessandrelli at gmail.com
Sat Sep 14 10:02:25 UTC 2019

Hi Simon,

On Fri, Sep 13, 2019 at 5:36 PM Simon Glass <sjg at chromium.org> wrote:
> Hi Daniele,
> >
> > If I understand it correctly, at Line 440 we check if verification
> > with the required key succeeded and if so we return otherwise we
> > continue, trying other keys.
> Yes that's my understanding too.
> >
> > Is that the intended behavior? Shouldn't the code return in any case
> > (thus making the FIT verification process fail if the image couldn't
> > be verified with the required key)? Or am I missing something?
> Yes I think you are right. The documentation says:
> - required: If present this indicates that the key must be verified for the
> image / configuration to be considered valid. Only required keys are
> normally verified by the FIT image booting algorithm. Valid values are
> "image" to force verification of all images, and "conf" to force verification
> of the selected configuration (which then relies on hashes in the images to
> verify those).

Thanks for confirming it. I'll prepare a small patch to fix it... that
would be my first U-boot patch :D

> The test coverage does not handle that case at present, but it should.

I'm afraid I won't have time to fix that in my patch. I had a quick
look at 'test_fit.py' and it looks like there is quite some code to
write to add this test case.


More information about the U-Boot mailing list