[PATCH 3/3] test: fit: verify dm-verity roothash is covered by the config signature

Tom Rini trini at konsulko.com
Tue Jul 14 18:46:47 CEST 2026


On Tue, Jul 14, 2026 at 06:17:11AM -0600, Simon Glass wrote:
> Hi Daniel,
> 
> On 2026-07-12T00:33:05, Daniel Golle <daniel at makrotopia.org> wrote:
> > test: fit: verify dm-verity roothash is covered by the config signature
> >
> > A dm-verity protected filesystem image is not hashed by U-Boot; its
> > integrity is delegated to the kernel, which trusts the roothash taken
> > from the FIT dm-verity subnode. For that chain of trust to hold, the
> > roothash (and salt) must be part of the region covered by the
> > configuration signature, otherwise an attacker can replace both the
> > filesystem and the roothash while keeping the signature valid.
> >
> > Add two independent checks of this property:
> >
> >  - test/py/tests/test_fit_verity_sign.py signs a configuration that
> >    references a filesystem image carrying a dm-verity subnode, then
> >    confirms that tampering the roothash or the salt is rejected by
> >    fit_check_sign. A control that tampers a byte known to be signed
> >    proves the check can fail.
> >
> >  - test/boot/fit_verity.c gains a runtime unit test that builds the
> >    exact node list the configuration signature is computed over,
> >    turns it into hashed regions and checks both that the roothash
> > [...]
> >
> > boot/image-fit-sig.c                  |  25 +++--
> >  include/image.h                       |  25 +++++
> >  test/boot/fit_verity.c                | 194 ++++++++++++++++++++++++++++++++++
> >  test/py/tests/test_fit_verity_sign.py | 162 ++++++++++++++++++++++++++++
> >  4 files changed, 399 insertions(+), 7 deletions(-)
> 
> Somehow I didn't get this email, but I'll try to reply here.
> 
> > diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
> > @@ -340,8 +340,19 @@ static int fit_config_add_hash(const void *fit, int image_noffset,
> > +#if CONFIG_IS_ENABLED(UNIT_TEST)
> > +#define VISIBLE_IF_UT
> > +#else
> > +#define VISIBLE_IF_UT static
> > +#endif
> 
> Tom commented on this, but I'll just add this. Linux has
> VISIBLE_IF_KUNIT but in U-Boot so far we just stop the static when the
> function is needed elsewhere. LTO can be used to avoid the code-size
> increase, for platforms that want it.

As part of why this should be its own discussion, a quick look at
VISIBLE_IF_KUNIT in the kernel leads me to think it's not quite the same
set of needs, or if so there's a lot more architectural enforcement
around what is/isn't exposed just for testing, which we lack today.
Talking about LTO isn't relevant here.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260714/1eb545ce/attachment.sig>


More information about the U-Boot mailing list