Merge branch '2020-10-12-assorted-encryption-changes'

- Fix verified boot on BE targets
- Add support for multiple required keys in verified boots
- Add support for Initialization Vectors in AES keys in FIT images
- Assorted fixes in the RSA code

2 files changed, 44 insertions, 10 deletions

diff --git a/common/image-cipher.c b/common/image-cipher.c
index 09869f78464..4ca9eec4ef1 100644
--- a/common/image-cipher.c
+++ b/common/image-cipher.c
@@ -94,9 +94,11 @@ static int fit_image_setup_decrypt(struct image_cipher_info *info,
 		return -1;
 	}
 
+	info->iv = fdt_getprop(fit, cipher_noffset, "iv", NULL);
 	info->ivname = fdt_getprop(fit, cipher_noffset, "iv-name-hint", NULL);
-	if (!info->ivname) {
-		printf("Can't get IV name\n");
+
+	if (!info->iv && !info->ivname) {
+		printf("Can't get IV or IV name\n");
 		return -1;
 	}
 
@@ -120,8 +122,12 @@ static int fit_image_setup_decrypt(struct image_cipher_info *info,
 	 * Search the cipher node in the u-boot fdt
 	 * the path should be: /cipher/key-<algo>-<key>-<iv>
 	 */
-	snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s-%s",
-		 FIT_CIPHER_NODENAME, algo_name, info->keyname, info->ivname);
+	if (info->ivname)
+		snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s-%s",
+			 FIT_CIPHER_NODENAME, algo_name, info->keyname, info->ivname);
+	else
+		snprintf(node_path, sizeof(node_path), "/%s/key-%s-%s",
+			 FIT_CIPHER_NODENAME, algo_name, info->keyname);
 
 	noffset = fdt_path_offset(fdt, node_path);
 	if (noffset < 0) {
@@ -137,10 +143,12 @@ static int fit_image_setup_decrypt(struct image_cipher_info *info,
 	}
 
 	/* read iv */
-	info->iv = fdt_getprop(fdt, noffset, "iv", NULL);
 	if (!info->iv) {
-		printf("Can't get IV in cipher node '%s'\n", node_path);
-		return -1;
+		info->iv = fdt_getprop(fdt, noffset, "iv", NULL);
+		if (!info->iv) {
+			printf("Can't get IV in cipher node '%s'\n", node_path);
+			return -1;
+		}
 	}
 
 	return 0;
diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c
index cc1967109ea..5401d9411b9 100644
--- a/common/image-fit-sig.c
+++ b/common/image-fit-sig.c
@@ -416,6 +416,10 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 {
 	int noffset;
 	int sig_node;
+	int verified = 0;
+	int reqd_sigs = 0;
+	bool reqd_policy_all = true;
+	const char *reqd_mode;
 
 	/* Work out what we need to verify */
 	sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
@@ -425,6 +429,14 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 		return 0;
 	}
 
+	/* Get required-mode policy property from DTB */
+	reqd_mode = fdt_getprop(sig_blob, sig_node, "required-mode", NULL);
+	if (reqd_mode && !strcmp(reqd_mode, "any"))
+		reqd_policy_all = false;
+
+	debug("%s: required-mode policy set to '%s'\n", __func__,
+	      reqd_policy_all ? "all" : "any");
+
 	fdt_for_each_subnode(noffset, sig_blob, sig_node) {
 		const char *required;
 		int ret;
@@ -433,15 +445,29 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
 				       NULL);
 		if (!required || strcmp(required, "conf"))
 			continue;
+
+		reqd_sigs++;
+
 		ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
 					    noffset);
 		if (ret) {
-			printf("Failed to verify required signature '%s'\n",
-			       fit_get_name(sig_blob, noffset, NULL));
-			return ret;
+			if (reqd_policy_all) {
+				printf("Failed to verify required signature '%s'\n",
+				       fit_get_name(sig_blob, noffset, NULL));
+				return ret;
+			}
+		} else {
+			verified++;
+			if (!reqd_policy_all)
+				break;
 		}
 	}
 
+	if (reqd_sigs && !verified) {
+		printf("Failed to verify 'any' of the required signature(s)\n");
+		return -EPERM;
+	}
+
 	return 0;
 }