[PATCH] Provide more details of exactly how configuration signatures are calculated

Martin Bonner martingreybeard at gmail.com
Wed Jul 20 09:14:56 CEST 2022


I have just spent a week reverse-engineering this, so I thought I'd
contribute the work back to the community

diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 61a72db3c7..61cdd55e40 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -382,6 +382,25 @@ verified later even if the FIT has been signed
with other keys in the
 meantime.


+Details
+-------
+The signature node contains a property ('hashed-nodes') which lists all the
+nodes that the signature was made over.  The image is walked in order and each
+tag processed as follows:
+- DTB_BEGIN_NODE: The tag and the following name are added to the signature if
+  the node or its parent are present in 'hashed-nodes'
+- DTB_END_NODE: The tag is added to the signature if the node or its parent are
+  present in 'hashed-nodes'
+- DTB_PROPERTY: The tag, the length word, the offset in the string table, and
+  the data are all included if the node is present in 'hashed-nodes' and the
+  property name is not 'data'.
+- DTB_END: The tag is always included.
+
+In addition, the signature contains a property 'hashed-strings' which contains
+the offset and length in the string table of the strings that are to be added
+to the signature (this is always done at the end).
+
+
 Verification
 ------------
 FITs are verified when loaded. After the configuration is selected a list

-- 
Martin


More information about the U-Boot mailing list