[PATCH 3/9] boot: image: add FIT decrypt-to-buffer helper

Simon Glass sjg at chromium.org
Thu Jul 2 22:02:03 CEST 2026


Hi James,

On 2026-07-02T01:46:51, James Hilliard <james.hilliard1 at gmail.com> wrote:
> boot: image: add FIT decrypt-to-buffer helper
>
> FIT cipher support currently allocates the output buffer inside the AES
> helper. SPL often needs to decrypt directly into a caller-selected buffer,
> for example a load buffer or a scratch buffer used before decompression.
>
> Add a decrypt_to callback to the FIT cipher algorithm and wire it up for
> AES. The existing allocating decrypt path becomes a wrapper around the new
> helper.
>
> When DM_AES is enabled, try the first UCLASS_AES provider before using the
> software AES fallback in U-Boot proper. Return AES device errors to the
> caller instead of hiding them with a software fallback after the device has
> accepted the operation.
>
> Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
>
> boot/image-cipher.c   | 38 ++++++++++++++++++--
>  boot/image-fit.c      |  7 ++--
>  include/image.h       | 39 ++++++++++++++++++--
>  include/u-boot/aes.h  | 10 ++++++
>  lib/Makefile          |  2 +-
>  lib/aes/aes-decrypt.c | 98 +++++++++++++++++++++++++++++++++++++++++++--------
>  6 files changed, 170 insertions(+), 24 deletions(-)

> Add a decrypt_to callback to the FIT cipher algorithm and wire it up for
> AES. The existing allocating decrypt path becomes a wrapper around the new
> helper.

This patch also adds key/IV length validation in
fit_image_setup_decrypt(), a length check on 'data-size-unciphered' in
fit_image_get_data_size_unciphered() and makes the lib/aes/ build rule
phase-keyed, none of which is mentioned in the commit message. Please
can you split the validation hardening into its own patch, or at least
explain it here? The lib/Makefile change looks like preparation for
SPL support, so it might sit better in patch 4 which adds
SPL_FIT_CIPHER

> diff --git a/lib/aes/aes-decrypt.c b/lib/aes/aes-decrypt.c
> @@ -4,37 +4,105 @@
> +     unsigned int aes_blocks, key_len = info->cipher->key_len;
> +     int ret = -ENOSYS;
> +
> +     ret = image_aes_validate_lengths(info, cipher_len);

The -ENOSYS initialiser is dead, since ret is immediately overwritten
by the validate call. So in an XPL build with DM_AES disabled the
function falls past both the DM and software paths and returns 0
without decrypting anything. Kconfig prevents that combination once
patch 4 makes SPL_FIT_CIPHER depend on SPL_DM_AES, but silent success
here would be nasty to debug. Please return -ENOSYS explicitly when no
implementation is available

> diff --git a/lib/aes/aes-decrypt.c b/lib/aes/aes-decrypt.c
> @@ -4,37 +4,105 @@
> +                     ret = dm_aes_set_key_for_key_slot(dev, key_len * 8,
> +                                                       (u8 *)info->key, 0);
> +                     if (ret)
> +                             return ret;
> +
> +                     ret = dm_aes_select_key_slot(dev, key_len * 8, 0);

Just to check, is it safe to assume key slot 0 is free on all
UCLASS_AES providers? On Tegra, slot 0 is TEGRA_AES_SLOT_SBK, holding
the secure boot key loaded by the bootrom, so writing the FIT key
there would clobber it (see arch/arm/include/asm/arch-tegra/crypto.h
and tegra_aes.c). It might be safer to pick the last slot reported by
dm_aes_available_key_slots(), or make the slot a parameter. What do
you think?

Regards,
Simon


More information about the U-Boot mailing list