libfdt issue - key verification fails with longer key-name

Heiko Stuebner heiko.stuebner at
Mon Apr 27 01:55:29 CEST 2020


I've encountered a strange issue that happens depending on the
length of the used key-name. Naming it "integrity" works,
"integrity-uboot" or even "integrity-ub" does not.
With the resulting key-node of course then being "key-integrity-uboot".

On the upper levels everything looks great, it finds the signatures and
correct key-node,  but when the spl reaches the
rsa_verify_with_keynode() function it falls apart and libfdt seems to read
strange values from the fdt.

Single values seem to be read back correctly, as can be seen with
rsa,n0-inverse and rsa,num-bits values that are correct with both
key-names (for the same base key).
But it's different with the public exponent rsa,exponent:
Where it reads back in the correct case as 0x0000 0000 0001 0001
with the longer keyname the result is i.e. 0x44b2 0100 0000 0000
(or similar, depending on the length of the keyname it seems).
The 0x0100 part stays the same always, but the 0x44b2 can also be
a 0xecb1

Is this some alignment issue somewhere, or do you have a hint
what I should poke?


More information about the U-Boot mailing list