From 1eccbb16a2c0427488d91e169572c3c397c4c1d5 Mon Sep 17 00:00:00 2001
From: Simon Glass <sjg@chromium.org>
Date: Sat, 25 Sep 2021 19:43:29 -0600
Subject: [PATCH] efi: Correct dependency on FIT_SIGNATURE

At present EFI_SECURE BOOT selects RSA but does not necessarily enable
FIT_SIGNATURE. Mostly this is fine, but a few boards do not enable it,
so U-Boot tries to do RSA verification when loading FIT images, but it
is not enabled.

This worked because the condition for checking the RSA signature is
wrong in the fit_image_verify_with_data() function. In order to fix it
we need to fix this dependency. Make sure that FIT_SIGNATURE is enabled
so that RSA can be used.

It might be better to avoid using 'select' in this situation.

Signed-off-by: Simon Glass <sjg@chromium.org>
---
 lib/efi_loader/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 3d5a5cd..83d584a6 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -336,7 +336,7 @@ config EFI_LOAD_FILE2_INITRD
 
 config EFI_SECURE_BOOT
 	bool "Enable EFI secure boot support"
-	depends on EFI_LOADER
+	depends on EFI_LOADER && FIT_SIGNATURE
 	select HASH
 	select SHA256
 	select RSA
-- 
2.7.4