[PATCH v3 1/3] tools: binman: Test signing an encrypted FIT with a preload header
Paul HENRYS
paul.henrys_ext at softathome.com
Fri Apr 3 09:41:47 CEST 2026
Hi Tom,
Just after pushing the v3 I realized that this test would better go
under tools/binman/test/security/ instead of tools/binman/test/fit/.
I am going to push a v4 with this change. Sorry for the inconvenience.
Kind regards,
Paul
On 03/04/2026 09:32, Paul HENRYS wrote:
> Add a test to verify the preload header correctly signs an encrypted
> FIT. This test exercises the case where encryption uses random IVs that
> would change between mkimage calls.
>
> Signed-off-by: Paul HENRYS <paul.henrys_ext at softathome.com>
> ---
> Changes for v3:
> - Rebase against 'next' branch
> - Move test in tools/binman/test/fit without a numeric prefix
> - Update encryption key path passed to _DoReadFileDtb()
>
> tools/binman/ftest.py | 21 +++++++
> .../test/fit/pre_load_fit_encrypted.dts | 63 +++++++++++++++++++
> 2 files changed, 84 insertions(+)
> create mode 100644 tools/binman/test/fit/pre_load_fit_encrypted.dts
>
> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
> index ca5149ee654..301c7705837 100644
> --- a/tools/binman/ftest.py
> +++ b/tools/binman/ftest.py
> @@ -5895,6 +5895,27 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
> data = self._DoReadFileDtb('security/pre_load_invalid_key.dts',
> entry_args=entry_args)
>
> + def testPreLoadEncryptedFit(self):
> + """Test an encrypted FIT image with a pre-load header"""
> + entry_args = {
> + 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),
> + }
> + data = tools.read_file(self.TestFile("fit/aes256.bin"))
> + self._MakeInputFile("keys/aes256.bin", data)
> +
> + keys_subdir = os.path.join(self._indir, "keys")
> + data = self._DoReadFileDtb(
> + 'fit/pre_load_fit_encrypted.dts', entry_args=entry_args,
> + extra_indirs=[keys_subdir])[0]
> +
> + image_fname = tools.get_output_filename('image.bin')
> + is_signed = self._CheckPreload(image_fname, self.TestFile("dev.key"))
> +
> + self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)])
> + self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)])
> + self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)])
> + self.assertEqual(is_signed, True)
> +
> def _CheckSafeUniqueNames(self, *images):
> """Check all entries of given images for unsafe unique names"""
> for image in images:
> diff --git a/tools/binman/test/fit/pre_load_fit_encrypted.dts b/tools/binman/test/fit/pre_load_fit_encrypted.dts
> new file mode 100644
> index 00000000000..f5e9bf9426c
> --- /dev/null
> +++ b/tools/binman/test/fit/pre_load_fit_encrypted.dts
> @@ -0,0 +1,63 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +
> +/ {
> + #address-cells = <1>;
> + #size-cells = <1>;
> +
> + binman {
> + pre-load {
> + content = <&image>;
> + algo-name = "sha256,rsa2048";
> + key-name = "dev.key";
> + header-size = <4096>;
> + version = <0x11223344>;
> + };
> +
> + image: fit {
> + fit,encrypt;
> + description = "Test a FIT with encrypted data and signed with a preload";
> + #address-cells = <1>;
> +
> + images {
> + u-boot {
> + description = "U-Boot";
> + type = "firmware";
> + arch = "arm64";
> + os = "U-Boot";
> + compression = "none";
> + load = <00000000>;
> + entry = <00000000>;
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + u-boot-nodtb {
> + };
> + };
> + fdt-1 {
> + description = "Flattened Device Tree blob";
> + type = "flat_dt";
> + arch = "arm64";
> + compression = "none";
> + cipher {
> + algo = "aes256";
> + key-name-hint = "aes256";
> + };
> + u-boot-dtb {
> + };
> + };
> + };
> +
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + description = "Boot U-Boot with FDT blob";
> + firmware = "u-boot";
> + fdt = "fdt-1";
> + };
> + };
> + };
> + };
> +};
More information about the U-Boot
mailing list