Hi Simon, Thanks a lot for reviewing the patch.
I would appreciate if you could clarify the following in-line questions: On 6/29/2020 10:31 AM, Simon Glass wrote: > Hi Thirupathaiah, > > > On Mon, 29 Jun 2020 at 11:26, Simon Glass <[email protected]> wrote: >> >> Hi Thirupathaiah, >> >> On Thu, 25 Jun 2020 at 09:51, Thirupathaiah Annapureddy >> <[email protected]> wrote: >>> >>> Currently Verified Boot fails if there is a signature verification failure >>> using required key in U-boot DTB. This patch adds support for multiple >>> required keys. This means if verified boot passes with one of the required >>> keys, u-boot will continue the OS hand off. >>> >>> There was a prior attempt to resolve this with the following patch: >>> https://lists.denx.de/pipermail/u-boot/2019-April/366047.html >>> The above patch was failing "make tests". >>> >>> Signed-off-by: Thirupathaiah Annapureddy <[email protected]> >>> --- >>> common/image-fit-sig.c | 12 +++++++++++- >>> 1 file changed, 11 insertions(+), 1 deletion(-) > > One more thing...this patch is changing the policy. I assume you are referring to the policy of conf signing with all required keys instead of just one. I just wanted to double check. However I did not see any test in test_vboot.py for verifying this policy. So I thought signing with all required keys is not by design and it is an unintended bug. Could you please clarify on this? > > I think we need a new string property in the DTB alongside the > 'required' properly, that indicates whether the image must be signed > with all required keys, or just one. > > Regards, > Simon > Best Regards, Thiru
