Hello all,

I've been playing around with signed FIT images and I found some unexpected 
I was hoping to get some input on whether this behaves as expected or whether 
an issue that needs resolving.

I have a board where I am attempting to sign both the config and image nodes of 
image.  I am using two separate keys, one to sign the config, one the images. I 
am using
mkimage to set these keys as required.  I have found that if I require 
config.key for
configs and image.key for images, I boot successfully.  But if I have U-Boot 
require the
same keys but sign my config node with image.key, this also boots, but prints

RSA failed to verify: -22

This seems like unintended behavior to me. If I have config.key as the required 
key for
configs, booting should not succeed if I have my image signed with another 
valid key. If
I'm thinking about this correctly, it would mean only one key would need to be 
to infiltrate an image where multiple keys should be required. Can someone 
validate my
thinking, or explain what I'm doing/thinking wrong?  The patch for this 
issue, if indeed it is an issue, is fairly simple.

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 0d548f8..2e7c226 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -230,8 +230,7 @@ int rsa_verify(struct image_sign_info *info,
        if (info->required_keynode != -1) {
                ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
-               if (!ret)
-                       return ret;
+               return ret;
        /* Look for a key that matches our hint */

U-Boot mailing list

Reply via email to