From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9BDF5C433F5
	for <u-boot@archiver.kernel.org>; Sat, 12 Mar 2022 02:26:49 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 84BF383B48;
	Sat, 12 Mar 2022 03:26:13 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="IdBaQNyA";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 2005583B05; Sat, 12 Mar 2022 03:25:29 +0100 (CET)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com
 [IPv6:2607:f8b0:4864:20::32e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 0D48F83B0E
 for <u-boot@lists.denx.de>; Sat, 12 Mar 2022 03:25:04 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sjg@google.com
Received: by mail-ot1-x32e.google.com with SMTP id
 d15-20020a05683018ef00b005b2304fdeecso7581647otf.1
 for <u-boot@lists.denx.de>; Fri, 11 Mar 2022 18:25:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=TbbZhO46EY6TSoV9nsp56gI3bMyyM9DmAfHkTwvoae0=;
 b=IdBaQNyA7/olWup+pP1rbhZcfBTU9ADFPkQ05f4RgVRFSxem9H7odEK/+7gyCZCmJ9
 IJ3UrSr/6nmB3qBJxPN92ESsVzAd1bI5rcme8q2NJu4cdTU6ZXczJ7S0MYzw1p9NMMwG
 hQRuK8K9QCN/9Br9USi3JaWIAjRFZpdCy/JbU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=TbbZhO46EY6TSoV9nsp56gI3bMyyM9DmAfHkTwvoae0=;
 b=U8GkkGau2TmTYM05vjH/3L/oR/B+QsVNJ9jcdNviuhvScZkOCBBSkPcwIzcz3DbURx
 6aGCP92tP+dS1hThjBovftN0SOgwltjc0R0ZWzRl4tAHrQ+mvjbQFIwwa17g8vDjwu2j
 OLWBIYrznoZ9X/ad1V8Z7vjw7M0OY9KVWJbxigXRrXuqp3SZ1pzh6pCmItcKU8u4hX0Y
 qhnQ5JG4C2OMPguzvSjrvhHixhrr9QSBZ+/WvwVaqy+apmhzXRyODxWRS2aq2yh2lB+o
 vYFuBaWh2G0SBSEy/nDub9DMUysMWfn/0QiH1uZOfDW2OqJzMSd+H2IRlyKyNLfRUsUK
 l+Pw==
X-Gm-Message-State: AOAM530+boAVChFWFkvwUjUS9YCyj6dKq5/P9kNvlp5BO2UgK48291u8
 22ou5qwez+1MFDwNAw7+b3xL+Q++4jfqATFJFEdPB0nY1vIQEA==
X-Google-Smtp-Source: ABdhPJz8dM4kW3sXusyXEojiXwK1BIV71NRTe7re5gVXyCevlMYfVWdNvKiplzp/mE8hWz2GHNiCdT191xi7GfmtpEs=
X-Received: by 2002:a05:6830:1de5:b0:5b2:367e:5365 with SMTP id
 b5-20020a0568301de500b005b2367e5365mr6362416otj.351.1647051901385; Fri, 11
 Mar 2022 18:25:01 -0800 (PST)
MIME-Version: 1.0
References: <20211006154717.1130245-1-angelo.dureghello@timesys.com>
 <db0d7cc8-3166-de76-f076-240c1c769128@gmail.com>
 <CAPnjgZ3vXrMW9abB0uEQ9xEVTe=RoOxWhFzsyTie9d5+MMWJdg@mail.gmail.com>
 <CALJHbkARjEyAxJeWL4a-TCT1fW2D5_0UVcaDOCPH0cL-pPY4ZA@mail.gmail.com>
In-Reply-To: <CALJHbkARjEyAxJeWL4a-TCT1fW2D5_0UVcaDOCPH0cL-pPY4ZA@mail.gmail.com>
From: Simon Glass <sjg@chromium.org>
Date: Fri, 11 Mar 2022 19:24:46 -0700
Message-ID: <CAPnjgZ28Rgh9fP0XNgpdG94sfA7X64p=8APhBP6NKey1d37gkQ@mail.gmail.com>
Subject: Re: [PATCH] fit: display proper node on error
To: Angelo Dureghello <angelo.dureghello@timesys.com>
Cc: "Alex G." <mr.nuke.me@gmail.com>, Tom Rini <trini@konsulko.com>, 
 U-Boot Mailing List <u-boot@lists.denx.de>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Hi Angelo,

On Mon, 25 Oct 2021 at 15:11, Angelo Dureghello
<angelo.dureghello@timesys.com> wrote:
>
> Hi,
>
> On Sun, Oct 24, 2021 at 9:53 PM Simon Glass <sjg@chromium.org> wrote:
>>
>> Hi Alex,
>>
>> On Wed, 6 Oct 2021 at 10:00, Alex G. <mr.nuke.me@gmail.com> wrote:
>> >
>> > + Simon
>> >
>> > On 10/6/21 10:47 AM, Angelo Dureghello wrote:
>> > > Fix final error message from
>> > >
>> > > Verification failed for '<NULL>' hash node in 'conf@1' config node
>> > >
>> > > to
>> > >
>> > > Verification failed for 'signature@1' hash node in 'conf@1' config node
>> > >
>> > > Signed-off-by: Angelo Dureghello <angelo.dureghello@timesys.com>
>> > > ---
>> > >   common/image-fit-sig.c | 2 +-
>> > >   1 file changed, 1 insertion(+), 1 deletion(-)
>> > >
>> > > diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
>> > > index b979cd2a4b..4f2a6ef214 100644
>> > > --- a/common/image-fit-sig.c
>> > > +++ b/common/image-fit-sig.c
>> > > @@ -166,8 +166,8 @@ static int fit_image_verify_sig(const void *fit, int image_noffset,
>> > >                       } else {
>> > >                               puts("+ ");
>> > >                               verified = 1;
>> > > -                             break;
>> > >                       }
>> > > +                     break;
>> >
>> > This would stop checking after the first signature- node. It seems
>> > counter-intuitive, as I would expect all signatures to be checked.
>> >
>>
>> > In my mind, the 'break;' clause should only happen when
>> > fit_image_check_sig() returns an error. I have no idea why it happened
>> > on success. Simon, any thoughts?
>>
>> If you have a 'required' signature you can use the signed-configs
>> approach. Checking the signature of individual images is not actually
>> all that useful.
>>
>> So I think the break is in the right place. It checks all signatures
>> and reports them, but only cares whether at least one was verified.
>>
>> For the error message to be correct, we need to save the noffset of
>> the failed node in a separate variable, I think, so we can report the
>> last error we got.
>>
>
> Oh, looks like i sent a wrong patch also, since the
> error was related on signature check in a config node:
>
> Verification failed for 'signature@1' hash node in 'conf@1' config node
>
> and i patched the image check, this since i couldn't retest on
> the board. But the check mechanism seems the same.
>
> Anyway, fit_image_check_sig() was properly returning an error, and
> issue was related to imx caam driver used for rsa calc. With sw calc
> i have signature verification on conf node passed:
>
> Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
>
> So my understanding is that after an error we want to check for
> further "signature" subnodes inside the same "conf" or image node,
> but i have never seen more than one signature, is it something
> supported/allowed ?

Yes it should check all signatures until it runs out or finds a match.

Regards,
Simon