[PATCH v2] boot: Add fit_config_get_hash_list() to build signed node list

[Simon Glass]

Hi Ahmad,

On Wed, 11 Mar 2026 at 08:17, Ahmad Fatoum <a.fatoum at pengutronix.de> wrote:
>
> Hello Simon,
>
> On 3/6/26 2:20 AM, Simon Glass wrote:
> > From: Simon Glass <simon.glass at canonical.com>
>
> > +     /* Process each image referenced by the config */
> > +     image_count = 0;
> > +     fdt_for_each_property_offset(prop_offset, fit, conf_noffset) {
> > +             const char *prop_name;
> > +             int img_count, i;
> > +
> > +             fdt_getprop_by_offset(fit, prop_offset, &prop_name, NULL);
> > +             if (!prop_name)
> > +                     continue;
> > +
> > +             /* Skip properties that are not image references */
> > +             if (!strcmp(prop_name, FIT_DESC_PROP) ||
> > +                 !strcmp(prop_name, FIT_COMPAT_PROP) ||
>
> I know you need to mimic what mkimage does on the other side, but I
> found this surprising:
>
> The configuration node name is probably hashed along with the FDT node,
> but compatible isn't, so relying on compatible means an attacker can
> trivially control which configuration is booted.
>
> > +                 !strcmp(prop_name, FIT_DEFAULT_PROP))
>
> I am aware of /configurations/default, but what does a default property
> within a configuration signify?

Belated reply, but yes we don't use a defauilt property within the
configuration.

So we don't need that extra check, i.e. if someone did add a 'default'
property into the configuration it would be OK to fail the signature
check.

[..]

Regards,
Simon