From 6e221b4a3488545eb12a9d07dee5e9b2e9f83c30 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <laszlo.ersek@arm.com>
Date: Tue, 5 May 2026 13:08:16 +0200
Subject: [PATCH] fix(auth): make key measurement failure fatal

If plat_mboot_measure_image() fails -- in load_auth_image(), file
"common/bl_common.c" --, then that failure overrides the success of
load_auth_image_internal(), the error code from
plat_mboot_measure_image() is propagated outwards, and the boot process
eventually halts.

The way plat_mboot_measure_key() is currently treated is inconsistent
with the above. If plat_mboot_measure_key() fails -- in auth_signature()
and auth_mod_verify_img(), file "drivers/auth/auth_mod.c" --, then its
error is only logged (at the VERBOSE level), and then the error is
suppressed / ignored.

The inconsistency itself is questionable, but in particular for
platforms where trusted boot is backed by RSE, it may lead to garbage
measurement records. Such platforms generally collect (outermost) Signer
IDs (i.e., pubkey hashes) and image hashes into the same rows of a table
(by calling rse_mboot_set_signer_id() and rse_mboot_measure_and_record()
respectively), associated by pubkey OID. A failed pubkey measurement may
lead to an incomplete record (one lacking a Signer ID) being sent to the
RSE, all the while the RSE API mandates Signer ID in the record.

Propagate plat_mboot_measure_key() failure as well, so that it prevent
successful boot. (Arguably, an outright failed boot is better than
garbage measurements.)

Platforms that thus far have depended on error suppression for
plat_mboot_measure_key() should now return constant zero from their
plat_mboot_measure_key() implementations.

Change-Id: I2bc661c7b742a5256d34898fc69df2734fb30fdd
Signed-off-by: Laszlo Ersek <laszlo.ersek@arm.com>
---
 drivers/auth/auth_mod.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/auth/auth_mod.c b/drivers/auth/auth_mod.c
index 9aaa56768..d26112199 100644
--- a/drivers/auth/auth_mod.c
+++ b/drivers/auth/auth_mod.c
@@ -288,6 +288,7 @@ static int auth_signature(const auth_method_param_sig_t *param,
 		if (rc != 0) {
 			VERBOSE("[TBB] %s():%d failed with error code %d.\n",
 				__func__, __LINE__, rc);
+			return rc;
 		}
 	}
 
@@ -581,6 +582,7 @@ int auth_mod_verify_img(unsigned int img_id,
 				if (rc != 0) {
 					VERBOSE("[TBB] %s():%d failed with error code %d.\n",
 						__func__, __LINE__, rc);
+					return rc;
 				}
 			}
 		}