From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH] crypto: public-keys: improve diagnostics for unsupported keys
Date: Wed, 20 Aug 2025 15:36:05 +0200 [thread overview]
Message-ID: <20250820133605.2928419-1-a.fatoum@pengutronix.de> (raw)
If we have CONFIG_CRYPTO_RSA disabled, we will compile in the keys, but
not use them and fail at FIT verification time with a confusing
image signature BAD.
Improve upon this by mentioning both at init and verification time
whether keys are usable or not.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/image-fit.c | 5 ++++-
crypto/public-keys.c | 4 +++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index 2cde844e46a6..5272d9654a43 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -260,6 +260,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
static int fit_check_signature(struct device_node *sig_node,
enum hash_algo algo, void *hash)
{
+ const char *fail_reason = "no built-in keys";
const struct public_key *key;
const char *key_name = NULL;
int sig_len;
@@ -283,6 +284,8 @@ static int fit_check_signature(struct device_node *sig_node,
}
for_each_public_key(key) {
+ fail_reason = "verification failed";
+
if (key_name && !strcmp(key->key_name_hint, key_name))
continue;
@@ -291,7 +294,7 @@ static int fit_check_signature(struct device_node *sig_node,
goto ok;
}
- pr_err("image signature BAD\n");
+ pr_err("image signature BAD: %s\n", fail_reason);
return -EBADMSG;
ok:
diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index fba963db4eb8..0c27ddd70902 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -94,8 +94,10 @@ static int init_public_keys(void)
for (iter = __public_keys_start; iter != __public_keys_end; iter++) {
struct public_key *key = public_key_dup(iter);
- if (!key)
+ if (!key) {
+ pr_warn("error while adding key\n");
continue;
+ }
public_key_add(key);
}
--
2.39.5
reply other threads:[~2025-08-20 14:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820133605.2928419-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox