Re: [PATCH 03/15] fit: only accept keys from "fit"-keyring

[Ahmad Fatoum <a.fatoum@pengutronix.de>]

Hi,

On 10/14/25 1:02 PM, Jonas Rebmann wrote:
> Separate keys shall be used for fitimage verification and the upcoming
> TLV verification.
> 
> Based on the newly introduced keyring feature, limit fitimage
> verification to the keys in the keyring literally named "fit", which is
> also the current default keyring name in keytoc for backwards
> compatibility.
> 
> Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
> ---
>  common/image-fit.c          | 13 ++++++++-----
>  crypto/public-keys.c        | 13 ++++++++++---
>  crypto/rsa.c                |  1 +
>  include/crypto/public_key.h |  9 ++++++++-
>  include/tlv/tlv.h           |  1 +
>  5 files changed, 28 insertions(+), 9 deletions(-)
> 
> diff --git a/common/image-fit.c b/common/image-fit.c
> index 3017ccb504..0cbe8baf6f 100644
> --- a/common/image-fit.c
> +++ b/common/image-fit.c
> @@ -261,7 +261,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
>  static int fit_check_signature(struct fit_handle *handle, struct device_node *sig_node,
>  			       enum hash_algo algo, void *hash)
>  {
> -	const char *fail_reason = "no built-in keys";
> +	const char *fail_reason;
>  	const struct public_key *key;
>  	const char *key_name = NULL;
>  	int sig_len;
> @@ -274,10 +274,13 @@ static int fit_check_signature(struct fit_handle *handle, struct device_node *si
>  		return -EINVAL;
>  	}
>  
> +	fail_reason = "no matching keys";
> +
>  	of_property_read_string(sig_node, "key-name-hint", &key_name);
>  	if (key_name) {
> -		key = public_key_get(key_name);
> +		key = public_key_get(key_name, "fit");
>  		if (key) {
> +			fail_reason = "verification failed";
>  			ret = public_key_verify(key, sig_value, sig_len, hash, algo);
>  			if (handle->verbose)
>  				pr_info("Key %*phN (%s) -> signature %s\n", key->hashlen,
> @@ -287,13 +290,13 @@ static int fit_check_signature(struct fit_handle *handle, struct device_node *si
>  		}
>  	}
>  
> -	for_each_public_key(key) {
> -		fail_reason = "verification failed";
> +	for_each_public_key_keyring(key, "fit") {
>  
>  		/* Don't recheck with same key as before */
> -		if (streq_ptr(key->key_name_hint, key_name))
> +		if (key_name && streq_ptr(key->key_name_hint, key_name))

Ouch. This should be fixed up into the commit introducing streq_ptr as
that one breaks handling of multiple keys where there are no hints..

I sent a fixup.


Cheers,
Ahmad

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |