[PATCH] fit: display proper node on error

Simon Glass sjg at chromium.org
Sun Oct 24 21:53:25 CEST 2021


Hi Alex,

On Wed, 6 Oct 2021 at 10:00, Alex G. <mr.nuke.me at gmail.com> wrote:
>
> + Simon
>
> On 10/6/21 10:47 AM, Angelo Dureghello wrote:
> > Fix final error message from
> >
> > Verification failed for '<NULL>' hash node in 'conf at 1' config node
> >
> > to
> >
> > Verification failed for 'signature at 1' hash node in 'conf at 1' config node
> >
> > Signed-off-by: Angelo Dureghello <angelo.dureghello at timesys.com>
> > ---
> >   common/image-fit-sig.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
> > index b979cd2a4b..4f2a6ef214 100644
> > --- a/common/image-fit-sig.c
> > +++ b/common/image-fit-sig.c
> > @@ -166,8 +166,8 @@ static int fit_image_verify_sig(const void *fit, int image_noffset,
> >                       } else {
> >                               puts("+ ");
> >                               verified = 1;
> > -                             break;
> >                       }
> > +                     break;
>
> This would stop checking after the first signature- node. It seems
> counter-intuitive, as I would expect all signatures to be checked.
>
> In my mind, the 'break;' clause should only happen when
> fit_image_check_sig() returns an error. I have no idea why it happened
> on success. Simon, any thoughts?

If you have a 'required' signature you can use the signed-configs
approach. Checking the signature of individual images is not actually
all that useful.

So I think the break is in the right place. It checks all signatures
and reports them, but only cares whether at least one was verified.

For the error message to be correct, we need to save the noffset of
the failed node in a separate variable, I think, so we can report the
last error we got.

Regards,
Simon


More information about the U-Boot mailing list