[PATCH 2/4] iminfo: also verify signatures

Tue Apr 28 10:13:52 CEST 2026

On 4/27/26 18:19, Quentin Schulz wrote:
> On 4/27/26 5:03 PM, Ludwig Nussel wrote:
>> The iminfo command already verifies hashes of images. This change also
>> verifies signatures of configurations if enabled.
>>
>> Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>
>> ---
>>
>>   boot/image-fit.c | 36 ++++++++++++++++++++++++++++++++++++
>>   cmd/bootm.c      |  7 +++++++
>>   include/image.h  |  1 +
>>   3 files changed, 44 insertions(+)
>>
>> diff --git a/boot/image-fit.c b/boot/image-fit.c
>> index 2d2709aa5b1..b2c6db79edb 100644
>> --- a/boot/image-fit.c
>> +++ b/boot/image-fit.c
>> @@ -1512,6 +1512,42 @@ int fit_all_image_verify(const void *fit)
>>       return 1;
>>   }
>> +int fit_all_configurations_verify(const void *fit)
>> +{
> 
> Please document this function. It's clearly surprising to me that the 
> function successfully return if at least one conf node could be verified.

Right. Will add documentation. The function actually succeeds if all 
configurations have at least one valid signature according to 
fit_config_verify_required_keys().
  > Please indent like we have for fit image node verification, with 3
> leading spaces.
> 
>> +        ret = fit_config_verify(fit, noffset);
>> +        if (ret) {
>> +            r = ret;
>> +            continue;
>> +        }
>> +        /* at least one correct config */
>> +        if (r == -ENOENT)
> 
> Where is this ENOENT originating from, it's not obvious to me.

r is initialized with -ENOENT. As long as it has this setting there was 
no failed signature.

>> +            r = 0;
> 
> This will be overwritten if the last checked config is a fail, so it 
> isn't "at least one correct config".
> 
>> +        puts("OK\n");
>> +    }
>> +
>> +    return r;
> 
> Please stay consistent with fit_all_image_verify which returns 0 if not 
> all images are valid, otherwise 1. Here the logic is inverted and allow 
> for partial verification. The former is an issue, the latter *could* be 
> fine if we document it well.

Right, U-Boot in general seems to mix styles. I made this consistent 
with fit_config_verify() which it uses.

>> +}
>> +
>>   static int fit_image_uncipher(const void *fit, int image_noffset,
>>                     void **data, size_t *size)
>>   {
>> diff --git a/cmd/bootm.c b/cmd/bootm.c
>> index ca7cec91fad..2faa9648c46 100644
>> --- a/cmd/bootm.c
>> +++ b/cmd/bootm.c
>> @@ -335,6 +335,13 @@ static int image_info(ulong addr)
>>               return 1;
>>           }
>> +        if (CONFIG_IS_ENABLED(FIT_SIGNATURE) &&
>> +            fit_all_configurations_verify(hdr) != 0) {
>> +            puts("Signature verification failed!\n");
>> +            unmap_sysmem(hdr);
>> +            return 1;
>> +        }
>> +
> 
> After patch 4/4, I believe this will now fail if you have a FIT image 
> with only image signatures and no conf signatures (which is valid!).

Indeed. If the image signing is still a thing to support, would it make 
sense to introduce an option to enforce config signatures?

cu
Ludwig

-- 
Ludwig Nussel
Siemens AG
www.siemens.com