From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Subject: [PATCH 6/6] fit: improve diagnostics
Date: Thu, 21 Aug 2025 15:18:29 +0200 [thread overview]
Message-ID: <20250821-keynames-v1-6-8144af76d0ab@pengutronix.de> (raw)
In-Reply-To: <20250821-keynames-v1-0-8144af76d0ab@pengutronix.de>
FIT image output can become very verbose when a FIT image with multiple
device tree overlays is used. This hides several messages from normal
output and only prints them in verbose mode, (i.e. called via bootm -v)
Also from the output we could not see if all available keys fail to
verify the image or if no key is available at all. This patch improves
this by printing it clearly that no keys are available.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
common/image-fit.c | 23 +++++++++++++++++------
crypto/public-keys.c | 4 +++-
2 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index 1fe5aaf9bb186ae2407818b7824deea3f182e3e0..46e687bf91412f6957a8ba61c4b81648a8346b1d 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -258,6 +258,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node,
static int fit_check_signature(struct fit_handle *handle, struct device_node *sig_node,
enum hash_algo algo, void *hash)
{
+ const char *fail_reason = "no built-in keys";
const struct public_key *key;
const char *key_name = NULL;
int sig_len;
@@ -275,26 +276,34 @@ static int fit_check_signature(struct fit_handle *handle, struct device_node *si
key = public_key_get(key_name);
if (key) {
ret = public_key_verify(key, sig_value, sig_len, hash, algo);
+ if (handle->verbose)
+ pr_info("Key %*phN (%s) -> signature %s\n", key->hashlen,
+ key->hash, key_name, ret ? "BAD" : "OK");
if (!ret)
goto ok;
}
}
for_each_public_key(key) {
+ fail_reason = "verification failed";
+
if (key_name && !strcmp(key->key_name_hint, key_name))
continue;
ret = public_key_verify(key, sig_value, sig_len, hash, algo);
+
+ if (handle->verbose)
+ pr_info("Key %*phN -> signature %s\n", key->hashlen, key->hash,
+ ret ? "BAD" : "OK");
+
if (!ret)
goto ok;
}
- pr_err("image signature BAD\n");
+ pr_err("image signature BAD: %s\n", fail_reason);
return -EBADMSG;
ok:
- pr_info("image signature OK\n");
-
return 0;
}
@@ -417,10 +426,11 @@ static int fit_verify_hash(struct fit_handle *handle, struct device_node *image,
digest_update(d, data, data_len);
if (digest_verify(d, value_read)) {
- pr_info("%pOF: hash BAD\n", hash);
+ pr_err("%pOF: hash BAD\n", hash);
ret = -EBADMSG;
} else {
- pr_info("%pOF: hash OK\n", hash);
+ if (handle->verbose)
+ pr_info("%pOF: hash OK\n", hash);
ret = 0;
}
@@ -663,7 +673,8 @@ int fit_open_image(struct fit_handle *handle, void *configuration,
return ret;
of_property_read_string(image, "description", &desc);
- pr_info("image '%s': '%s'\n", unit, desc);
+ if (handle->verbose)
+ pr_info("image '%s': '%s'\n", unit, desc);
of_property_read_string(image, "type", &type);
if (!type) {
diff --git a/crypto/public-keys.c b/crypto/public-keys.c
index 3b691ffd6aa536084aefca90933b4bb74b724423..05ea6e76d212e9a37a6691647ce9e6350141c18d 100644
--- a/crypto/public-keys.c
+++ b/crypto/public-keys.c
@@ -96,8 +96,10 @@ static int init_public_keys(void)
for (iter = __public_keys_start; iter != __public_keys_end; iter++) {
struct public_key *key = public_key_dup(iter);
- if (!key)
+ if (!key) {
+ pr_warn("error while adding key\n");
continue;
+ }
public_key_add(key);
}
--
2.39.5
prev parent reply other threads:[~2025-08-21 17:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 13:18 [PATCH 0/6] crypto: keys: Some work for public keys Sascha Hauer
2025-08-21 13:18 ` [PATCH 1/6] crypto: drop BOOTM_FITIMAGE_PUBKEY Sascha Hauer
2025-08-21 13:18 ` [PATCH 2/6] crypto: Allow to include development keys in build Sascha Hauer
2025-08-21 13:18 ` [PATCH 3/6] crypto: include public key hashes Sascha Hauer
2025-08-21 13:18 ` [PATCH 4/6] commands: add keys command Sascha Hauer
2025-08-21 13:18 ` [PATCH 5/6] fit: consistently pass around fit_handle Sascha Hauer
2025-08-21 13:18 ` Sascha Hauer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250821-keynames-v1-6-8144af76d0ab@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox