If we have CONFIG_CRYPTO_RSA disabled, we will compile in the keys, but not use them and fail at FIT verification time with a confusing image signature BAD.
Improve upon this by mentioning both at init and verification time whether keys are usable or not. Signed-off-by: Ahmad Fatoum <[email protected]> --- common/image-fit.c | 5 ++++- crypto/public-keys.c | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/common/image-fit.c b/common/image-fit.c index 2cde844e46a6..5272d9654a43 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -260,6 +260,7 @@ static struct digest *fit_alloc_digest(struct device_node *sig_node, static int fit_check_signature(struct device_node *sig_node, enum hash_algo algo, void *hash) { + const char *fail_reason = "no built-in keys"; const struct public_key *key; const char *key_name = NULL; int sig_len; @@ -283,6 +284,8 @@ static int fit_check_signature(struct device_node *sig_node, } for_each_public_key(key) { + fail_reason = "verification failed"; + if (key_name && !strcmp(key->key_name_hint, key_name)) continue; @@ -291,7 +294,7 @@ static int fit_check_signature(struct device_node *sig_node, goto ok; } - pr_err("image signature BAD\n"); + pr_err("image signature BAD: %s\n", fail_reason); return -EBADMSG; ok: diff --git a/crypto/public-keys.c b/crypto/public-keys.c index fba963db4eb8..0c27ddd70902 100644 --- a/crypto/public-keys.c +++ b/crypto/public-keys.c @@ -94,8 +94,10 @@ static int init_public_keys(void) for (iter = __public_keys_start; iter != __public_keys_end; iter++) { struct public_key *key = public_key_dup(iter); - if (!key) + if (!key) { + pr_warn("error while adding key\n"); continue; + } public_key_add(key); } -- 2.39.5
