fit_check_sig not hashing everything.

Martin Bonner martingreybeard at
Fri Jul 8 09:10:40 CEST 2022

On Thu, 7 Jul 2022 at 17:29, Martin Bonner <martingreybeard at>

> I have a 30MB FIT image as input, and I have added some debug to
> hash_calculate in rsa-checksum.c to print the amount of data being hashed.
> The answer is a rather scary "1106 bytes"! ...
> Can anyone clarify what is happening?

Never mind.  I have found fit_image_check_hash in image-fit.c (yay for gdb
read watchpoints!)  So the algorithm is basically "verify that the hashes
of each image is correct", then calculate a hash which includes the hashes
of the images (but not their data), and sign that.  (I think it's
overcomplicated, and complexity is the enemy of security - but it's much
too late to change that.)


More information about the U-Boot mailing list