From patchwork Thu Jun 25 15:51:27 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
X-Patchwork-Id: 242992
List-Id: U-Boot discussion <u-boot.lists.denx.de>
From: thiruan at linux.microsoft.com (Thirupathaiah Annapureddy)
Date: Thu, 25 Jun 2020 08:51:27 -0700
Subject: [PATCH 1/2] vboot: add support for multiple required keys
In-Reply-To: <cover.1593045943.git.thiruan@linux.microsoft.com>
References: <cover.1593045943.git.thiruan@linux.microsoft.com>
Message-ID: <0f920e6ee369718f3b7a0b9e07920383229715fd.1593045943.git.thiruan@linux.microsoft.com>

Currently Verified Boot fails if there is a signature verification failure
using required key in U-boot DTB. This patch adds support for multiple
required keys. This means if verified boot passes with one of the required
keys, u-boot will continue the OS hand off.

There was a prior attempt to resolve this with the following patch:
https://lists.denx.de/pipermail/u-boot/2019-April/366047.html
The above patch was failing "make tests".

Signed-off-by: Thirupathaiah Annapureddy <thiruan at linux.microsoft.com>
---
 common/image-fit-sig.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
index cc1967109e..4d25d4c541 100644
--- a/common/image-fit-sig.c
+++ b/common/image-fit-sig.c
@@ -416,6 +416,8 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 {
 	int noffset;
 	int sig_node;
+	int verified = 0;
+	int reqd_sigs = 0;
 
 	/* Work out what we need to verify */
 	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
@@ -433,15 +435,23 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 				       NULL);
 		if (!required || strcmp(required, "conf"))
 			continue;
+
+		reqd_sigs++;
+
 		ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
 					    noffset);
 		if (ret) {
 			printf("Failed to verify required signature '%s'\n",
 			       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
+		} else {
+			verified = 1;
+			break;
 		}
 	}
 
+	if (reqd_sigs && !verified)
+		return -EPERM;
+
 	return 0;
 }