[PATCH] lib: rsa: rsa-verify: don't look for keys in the FIT image

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] lib: rsa: rsa-verify: don't look for keys in the FIT image

Philippe Reynes-3
In the function rsa_verify_hash, if the "main" key doesn't
work, u-boot try others keys. But it searches those keys
in the FIT image instead of the u-boot device tree.

Signed-off-by: Philippe Reynes <[hidden email]>
---
 lib/rsa/rsa-verify.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 0ab0f629d0..e34d3293d1 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -522,10 +522,10 @@ int rsa_verify_hash(struct image_sign_info *info,
  return ret;
 
  /* No luck, so try each of the keys in turn */
- for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
+ for (ndepth = 0, noffset = fdt_next_node(blob, sig_node,
  &ndepth);
      (noffset >= 0) && (ndepth > 0);
-     noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
+     noffset = fdt_next_node(blob, noffset, &ndepth)) {
  if (ndepth == 1 && noffset != node) {
  ret = rsa_verify_with_keynode(info, hash,
       sig, sig_len,
--
2.17.1

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] lib: rsa: rsa-verify: don't look for keys in the FIT image

Alexandru Gagniuc-2
On 1/12/21 12:18 PM, Philippe Reynes wrote:

Hi Philippe,

> In the function rsa_verify_hash, if the "main" key doesn't
> work, u-boot try others keys. But it searches those keys
> in the FIT image instead of the u-boot device tree.
>
> Signed-off-by: Philippe Reynes <[hidden email]>
> ---
>   lib/rsa/rsa-verify.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> index 0ab0f629d0..e34d3293d1 100644
> --- a/lib/rsa/rsa-verify.c
> +++ b/lib/rsa/rsa-verify.c
> @@ -522,10 +522,10 @@ int rsa_verify_hash(struct image_sign_info *info,
>   return ret;
>  
>   /* No luck, so try each of the keys in turn */
> - for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
> + for (ndepth = 0, noffset = fdt_next_node(blob, sig_node,
>   &ndepth);
>       (noffset >= 0) && (ndepth > 0);
> -     noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
> +     noffset = fdt_next_node(blob, noffset, &ndepth)) {
>   if (ndepth == 1 && noffset != node) {
>   ret = rsa_verify_with_keynode(info, hash,
>        sig, sig_len,

I was looking at this code ot too long ago and didn't notice the
inconsistency. I think it would be better to use 'info->fdt_blob' and
get rid of 'blob' completely.

Alex
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] lib: rsa: rsa-verify: don't look for keys in the FIT image

Philippe Reynes-3
Hi Alex

Le 12/01/2021 à 19:30, Alex G. a écrit :

> On 1/12/21 12:18 PM, Philippe Reynes wrote:
>
> Hi Philippe,
>
>> In the function rsa_verify_hash, if the "main" key doesn't
>> work, u-boot try others keys. But it searches those keys
>> in the FIT image instead of the u-boot device tree.
>>
>> Signed-off-by: Philippe Reynes <[hidden email]>
>> ---
>>   lib/rsa/rsa-verify.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
>> index 0ab0f629d0..e34d3293d1 100644
>> --- a/lib/rsa/rsa-verify.c
>> +++ b/lib/rsa/rsa-verify.c
>> @@ -522,10 +522,10 @@ int rsa_verify_hash(struct image_sign_info *info,
>>               return ret;
>>             /* No luck, so try each of the keys in turn */
>> -        for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node,
>> +        for (ndepth = 0, noffset = fdt_next_node(blob, sig_node,
>>                                &ndepth);
>>                (noffset >= 0) && (ndepth > 0);
>> -             noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
>> +             noffset = fdt_next_node(blob, noffset, &ndepth)) {
>>               if (ndepth == 1 && noffset != node) {
>>                   ret = rsa_verify_with_keynode(info, hash,
>>                                     sig, sig_len,
>
> I was looking at this code ot too long ago and didn't notice the
> inconsistency. I think it would be better to use 'info->fdt_blob' and
> get rid of 'blob' completely.
>
The variable blob is also used in function rsa_verify_with_keynode. So
it is the coding style for this part of code.
If you prefer to change this coding style and remove this variable blob
to use directly info->fdt_blob or rename this variable blob to fdt_blob,
I can send another patch to change it.
What other people (and you) think about this proposal ?
> Alex
Regards,
Philippe