[PATCH 2/4] iminfo: also verify signatures

[Quentin Schulz]

Hi Ludwig,

On 4/27/26 5:03 PM, Ludwig Nussel wrote:
> The iminfo command already verifies hashes of images. This change also
> verifies signatures of configurations if enabled.
> 
> Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>
> ---
> 
>   boot/image-fit.c | 36 ++++++++++++++++++++++++++++++++++++
>   cmd/bootm.c      |  7 +++++++
>   include/image.h  |  1 +
>   3 files changed, 44 insertions(+)
> 
> diff --git a/boot/image-fit.c b/boot/image-fit.c
> index 2d2709aa5b1..b2c6db79edb 100644
> --- a/boot/image-fit.c
> +++ b/boot/image-fit.c
> @@ -1512,6 +1512,42 @@ int fit_all_image_verify(const void *fit)
>   	return 1;
>   }
>   
> +int fit_all_configurations_verify(const void *fit)
> +{

Please document this function. It's clearly surprising to me that the 
function successfully return if at least one conf node could be verified.

> +	int confs_noffset;
> +	int noffset;
> +	int r = -ENOENT;
> +
> +	/* Find images parent node offset */
> +	confs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH);
> +	if (confs_noffset < 0) {
> +		printf("Can't find configurations parent node '%s' (%s)\n",
> +		       FIT_IMAGES_PATH, fdt_strerror(confs_noffset));
> +		return confs_noffset;
> +	}
> +
> +	/* Process all config subnodes, check hashes for each */
> +	printf("## Checking signatures for FIT Image at %08lx ...\n",
> +	       (ulong)fit);
> +

Please mention in the log output that we are checking conf signatures 
and not image signatures.

> +	fdt_for_each_subnode(noffset, fit, confs_noffset) {
> +		int ret;
> +
> +		printf("%s ... ", fit_get_name(fit, noffset, NULL));

Please indent like we have for fit image node verification, with 3 
leading spaces.

> +		ret = fit_config_verify(fit, noffset);
> +		if (ret) {
> +			r = ret;
> +			continue;
> +		}
> +		/* at least one correct config */
> +		if (r == -ENOENT)

Where is this ENOENT originating from, it's not obvious to me.

> +			r = 0;

This will be overwritten if the last checked config is a fail, so it 
isn't "at least one correct config".

> +		puts("OK\n");
> +	}
> +
> +	return r;

Please stay consistent with fit_all_image_verify which returns 0 if not 
all images are valid, otherwise 1. Here the logic is inverted and allow 
for partial verification. The former is an issue, the latter *could* be 
fine if we document it well.

> +}
> +
>   static int fit_image_uncipher(const void *fit, int image_noffset,
>   			      void **data, size_t *size)
>   {
> diff --git a/cmd/bootm.c b/cmd/bootm.c
> index ca7cec91fad..2faa9648c46 100644
> --- a/cmd/bootm.c
> +++ b/cmd/bootm.c
> @@ -335,6 +335,13 @@ static int image_info(ulong addr)
>   			return 1;
>   		}
>   
> +		if (CONFIG_IS_ENABLED(FIT_SIGNATURE) &&
> +		    fit_all_configurations_verify(hdr) != 0) {
> +			puts("Signature verification failed!\n");
> +			unmap_sysmem(hdr);
> +			return 1;
> +		}
> +

After patch 4/4, I believe this will now fail if you have a FIT image 
with only image signatures and no conf signatures (which is valid!).

Also need tests to make sure this doesn't regress.

Cheers,
Quentin