[PATCH] lib: rsa: rsa-verify: don't look for keys in the FIT image

Alex G. mr.nuke.me at gmail.com
Tue Jan 12 19:30:44 CET 2021


On 1/12/21 12:18 PM, Philippe Reynes wrote:

Hi Philippe,

> In the function rsa_verify_hash, if the "main" key doesn't
> work, u-boot try others keys. But it searches those keys
> in the FIT image instead of the u-boot device tree.
> 
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
> ---
>   lib/rsa/rsa-verify.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> index 0ab0f629d0..e34d3293d1 100644
> --- a/lib/rsa/rsa-verify.c
> +++ b/lib/rsa/rsa-verify.c
> @@ -522,10 +522,10 @@ int rsa_verify_hash(struct image_sign_info *info,
>   			return ret;
>   
>   		/* No luck, so try each of the keys in turn */
> -		for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
> +		for (ndepth = 0, noffset = fdt_next_node(blob, sig_node,
>   							 &ndepth);
>   		     (noffset >= 0) && (ndepth > 0);
> -		     noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
> +		     noffset = fdt_next_node(blob, noffset, &ndepth)) {
>   			if (ndepth == 1 && noffset != node) {
>   				ret = rsa_verify_with_keynode(info, hash,
>   							      sig, sig_len,

I was looking at this code ot too long ago and didn't notice the 
inconsistency. I think it would be better to use 'info->fdt_blob' and 
get rid of 'blob' completely.

Alex


More information about the U-Boot mailing list