fit_check_sig not hashing everything.
Martin Bonner
martingreybeard at gmail.com
Fri Jul 8 09:10:40 CEST 2022
On Thu, 7 Jul 2022 at 17:29, Martin Bonner <martingreybeard at gmail.com>
wrote:
> I have a 30MB FIT image as input, and I have added some debug to
> hash_calculate in rsa-checksum.c to print the amount of data being hashed.
> The answer is a rather scary "1106 bytes"! ...
>
> Can anyone clarify what is happening?
>
Never mind. I have found fit_image_check_hash in image-fit.c (yay for gdb
read watchpoints!) So the algorithm is basically "verify that the hashes
of each image is correct", then calculate a hash which includes the hashes
of the images (but not their data), and sign that. (I think it's
overcomplicated, and complexity is the enemy of security - but it's much
too late to change that.)
Martin
More information about the U-Boot
mailing list