Currently Verified Boot fails if there is a signature verification failure using required key in U-boot DTB. This patch adds support for multiple required keys. This means if verified boot passes with one of the required keys, u-boot will continue the OS hand off.
There was a prior attempt to resolve this with the following patch: https://lists.denx.de/pipermail/u-boot/2019-April/366047.html The above patch was failing "make tests". Signed-off-by: Thirupathaiah Annapureddy <[email protected]> --- common/image-fit-sig.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index cc1967109e..4d25d4c541 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -416,6 +416,8 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, { int noffset; int sig_node; + int verified = 0; + int reqd_sigs = 0; /* Work out what we need to verify */ sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); @@ -433,15 +435,23 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, NULL); if (!required || strcmp(required, "conf")) continue; + + reqd_sigs++; + ret = fit_config_verify_sig(fit, conf_noffset, sig_blob, noffset); if (ret) { printf("Failed to verify required signature '%s'\n", fit_get_name(sig_blob, noffset, NULL)); - return ret; + } else { + verified = 1; + break; } } + if (reqd_sigs && !verified) + return -EPERM; + return 0; } -- 2.17.1
