[PATCH 0/3] Binman: fix signing an encrypted FIT with a preload key
Tom Rini
trini at konsulko.com
Fri Jul 11 19:34:18 CEST 2025
On Thu, Jul 03, 2025 at 02:54:51PM +0200, yan wang wrote:
> When running the test case testPreLoadEncryptedFit, mkimage has been called
> multiple times. Each call to Entry_fit's GetData falls into Entry_fit's
> BuildSectionData then mkimage is called. The last mkimage is called after
> the image has been signed with the preload key. As mkimage uses a random
> IV for encryption and the timestamps may differ, There is a
> mismatch between the previously calculated signature and the
> final fit included in the image.
>
> During ProcessImage, how can one tell when exactly a fit is well generated,
> and stop the useless mkimage afterwards?
>
> Paul HENRYS (2):
> binman: Generate the preload header and sign the data only once
> tools: binman: Test signing an encrypted FIT with a preload header
>
> yan wang (1):
> binman: Fix signing an encryted FIT with a preload key
>
> tools/binman/etype/pre_load.py | 12 ++--
> tools/binman/ftest.py | 17 +++++
> tools/binman/image.py | 10 +++
> .../test/336_pre_load_fit_encrypted.dts | 63 +++++++++++++++++++
> 4 files changed, 96 insertions(+), 6 deletions(-)
> create mode 100644 tools/binman/test/336_pre_load_fit_encrypted.dts
I had a small merge problem to resolve when applying this and maybe I
didn't do it right because now CI fails:
https://source.denx.de/u-boot/u-boot/-/jobs/1198369
Please rebase, retest and repost, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250711/a9b4cd2c/attachment.sig>
More information about the U-Boot
mailing list