diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2022-05-04 13:06:20 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2022-05-04 15:12:31 +0200 |
commit | 66faea1edf07acd85dadbd67e208bef651ede2a0 (patch) | |
tree | 125c93a1d19105fe1c14f158c91e229f896393ee /common | |
parent | fd9f6562ece54284e701ada008700b4bebf3bff1 (diff) | |
download | barebox-66faea1edf07acd85dadbd67e208bef651ede2a0.tar.gz barebox-66faea1edf07acd85dadbd67e208bef651ede2a0.tar.xz |
fit: try other keys as fallback
So far the rsa key and the image signature must have a matching
key-name-hint. Relax that by trying other available keys when
the key-name-hints don't match or when the matching key can't verify
the signature.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'common')
-rw-r--r-- | common/image-fit.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/common/image-fit.c b/common/image-fit.c index 152d066f47..a410632d70 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -256,7 +256,7 @@ static int fit_check_rsa_signature(struct device_node *sig_node, enum hash_algo algo, void *hash) { const struct rsa_public_key *key; - const char *key_name; + const char *key_name = NULL; int sig_len; const char *sig_value; int ret; @@ -267,24 +267,32 @@ static int fit_check_rsa_signature(struct device_node *sig_node, return -EINVAL; } - if (of_property_read_string(sig_node, "key-name-hint", &key_name)) { - pr_err("key name not found in %s\n", sig_node->full_name); - return -EINVAL; + of_property_read_string(sig_node, "key-name-hint", &key_name); + if (key_name) { + key = rsa_get_key(key_name); + if (key) { + ret = rsa_verify(key, sig_value, sig_len, hash, algo); + if (!ret) + goto ok; + } } - key = rsa_get_key(key_name); - if (!key) { - pr_err("No such key: %s\n", key_name); - return -ENOENT; + for_each_rsa_key(key) { + if (key_name && !strcmp(key->key_name_hint, key_name)) + continue; + + ret = rsa_verify(key, sig_value, sig_len, hash, algo); + if (!ret) + goto ok; } - ret = rsa_verify(key, sig_value, sig_len, hash, algo); - if (ret) - pr_err("image signature BAD\n"); - else - pr_info("image signature OK\n"); + pr_err("image signature BAD\n"); - return ret; + return -EBADMSG; +ok: + pr_info("image signature OK\n"); + + return 0; } /* |