[PATCH 1/2] vboot: add support for multiple required keys
Thirupathaiah Annapureddy
thiruan at linux.microsoft.com
Thu Jul 9 00:47:44 CEST 2020
Hi Simon,
Thanks a lot for reviewing the patch.
I would appreciate if you could clarify the following in-line questions:
On 6/29/2020 10:31 AM, Simon Glass wrote:
> Hi Thirupathaiah,
>
>
> On Mon, 29 Jun 2020 at 11:26, Simon Glass <sjg at chromium.org> wrote:
>>
>> Hi Thirupathaiah,
>>
>> On Thu, 25 Jun 2020 at 09:51, Thirupathaiah Annapureddy
>> <thiruan at linux.microsoft.com> wrote:
>>>
>>> Currently Verified Boot fails if there is a signature verification failure
>>> using required key in U-boot DTB. This patch adds support for multiple
>>> required keys. This means if verified boot passes with one of the required
>>> keys, u-boot will continue the OS hand off.
>>>
>>> There was a prior attempt to resolve this with the following patch:
>>> https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
>>> The above patch was failing "make tests".
>>>
>>> Signed-off-by: Thirupathaiah Annapureddy <thiruan at linux.microsoft.com>
>>> ---
>>> common/image-fit-sig.c | 12 +++++++++++-
>>> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> One more thing...this patch is changing the policy.
I assume you are referring to the policy of conf signing with all required
keys instead of just one. I just wanted to double check.
However I did not see any test in test_vboot.py for verifying this policy.
So I thought signing with all required keys is not by design and it is
an unintended bug. Could you please clarify on this?
>
> I think we need a new string property in the DTB alongside the
> 'required' properly, that indicates whether the image must be signed
> with all required keys, or just one.
>
> Regards,
> Simon
>
Best Regards,
Thiru
More information about the U-Boot
mailing list