[PATCH 1/2] tools: binman: Test signing an encrypted FIT with a preload header
yan wang
yan.wang at softathome.com
Mon Jun 2 16:52:27 CEST 2025
From: Paul HENRYS <paul.henrys_ext at softathome.com>
This test is added to work on issue currently faced with binman.
Binman calls multiple times mkimage and thus generates the FIT multiple
times and the last call happens after the preload header has been
generated. When encrypting the image with a random IV or if the timestamp
in the FIT has changed between the 2 last calls of mkimage, the preload
header would not sign the correct data leading to a corrupted image.
Signed-off-by: Paul HENRYS <paul.henrys_ext at softathome.com>
---
tools/binman/ftest.py | 17 +++++
.../test/336_pre_load_fit_encrypted.dts | 63 +++++++++++++++++++
2 files changed, 80 insertions(+)
create mode 100644 tools/binman/test/336_pre_load_fit_encrypted.dts
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 4670ca7d515..0ca04eda9ac 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -5863,6 +5863,23 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
data = self._DoReadFileDtb('236_pre_load_invalid_key.dts',
entry_args=entry_args)
+ def testPreLoadEncryptedFit(self):
+ """Test an encrypted FIT image with a pre-load header"""
+ entry_args = {
+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),
+ }
+ data = self._DoReadFileDtb(
+ '336_pre_load_fit_encrypted.dts', entry_args=entry_args,
+ extra_indirs=[os.path.join(self._binman_dir, 'test')])[0]
+
+ image_fname = tools.get_output_filename('image.bin')
+ is_signed = self._CheckPreload(image_fname, self.TestFile("dev.key"))
+
+ self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)])
+ self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)])
+ self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)])
+ self.assertEqual(is_signed, True)
+
def _CheckSafeUniqueNames(self, *images):
"""Check all entries of given images for unsafe unique names"""
for image in images:
diff --git a/tools/binman/test/336_pre_load_fit_encrypted.dts b/tools/binman/test/336_pre_load_fit_encrypted.dts
new file mode 100644
index 00000000000..f5e9bf9426c
--- /dev/null
+++ b/tools/binman/test/336_pre_load_fit_encrypted.dts
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ pre-load {
+ content = <&image>;
+ algo-name = "sha256,rsa2048";
+ key-name = "dev.key";
+ header-size = <4096>;
+ version = <0x11223344>;
+ };
+
+ image: fit {
+ fit,encrypt;
+ description = "Test a FIT with encrypted data and signed with a preload";
+ #address-cells = <1>;
+
+ images {
+ u-boot {
+ description = "U-Boot";
+ type = "firmware";
+ arch = "arm64";
+ os = "U-Boot";
+ compression = "none";
+ load = <00000000>;
+ entry = <00000000>;
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-nodtb {
+ };
+ };
+ fdt-1 {
+ description = "Flattened Device Tree blob";
+ type = "flat_dt";
+ arch = "arm64";
+ compression = "none";
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-dtb {
+ };
+ };
+ };
+
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ description = "Boot U-Boot with FDT blob";
+ firmware = "u-boot";
+ fdt = "fdt-1";
+ };
+ };
+ };
+ };
+};
--
2.25.1
More information about the U-Boot
mailing list