tools: image: allow to sign image nodes without -K option
authorMasahiro Yamada <yamada.masahiro@socionext.com>
Fri, 27 Oct 2017 06:04:20 +0000 (15:04 +0900)
committerTom Rini <trini@konsulko.com>
Mon, 6 Nov 2017 14:59:00 +0000 (09:59 -0500)
If -K option is missing when you sign image nodes, it fails with
an unclear error message:

  tools/mkimage Can't add hashes to FIT blob: -1

It is hard to figure out the cause of the failure.

In contrast, when you sign configuration nodes, -K is optional because
fit_config_process_sig() returns successfully if keydest is unset.
Probably this is a preferred behavior when you want to update FIT with
the same key; you do not have to update the public key in this case.

So, this commit changes fit_image_process_sig() to continue signing
without keydest.  If ->add_verify_data() fails, show a clearer error
message, which has been borrowed from fit_config_process_sig().

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
tools/image-host.c

index ad9a73acf8eea53be633c6740e5d129cd3578f97..d42c1cae4ee9e6751f99989b96e86d8b450d33a8 100644 (file)
@@ -242,18 +242,19 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        /* Get keyname again, as FDT has changed and invalidated our pointer */
        info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
 
-       if (keydest)
-               ret = info.crypto->add_verify_data(&info, keydest);
-       else
-               return -1;
-
        /*
         * Write the public key into the supplied FDT file; this might fail
         * several times, since we try signing with successively increasing
         * size values
         */
-       if (keydest && ret)
-               return ret;
+       if (keydest) {
+               ret = info.crypto->add_verify_data(&info, keydest);
+               if (ret) {
+                       printf("Failed to add verification data for '%s' signature node in '%s' image node\n",
+                              node_name, image_name);
+                       return ret;
+               }
+       }
 
        return 0;
 }