[RFC PATCH 3/3] boot/fit: stop rejecting '@' during FIT format checking
Lorenz Kofler
lorenz at sigma-star.at
Tue Jun 2 09:43:35 CEST 2026
Partially revert commit 3f04db891a35 ("image: Check for unit addresses in
FITs").
FIT references are now resolved with an exact subnode-name match, so this
blanket rejection is no longer needed, so drop it to restore support for
FIT images that use unit addresses in their node names.
Only the '@'-rejection logic is reverted.
Signed-off-by: Lorenz Kofler <lorenz at sigma-star.at>
---
boot/image-fit.c | 49 +------------------------------------
test/py/tests/test_vboot.py | 7 +++---
2 files changed, 5 insertions(+), 51 deletions(-)
diff --git a/boot/image-fit.c b/boot/image-fit.c
index d82603ae557..7f8c055326e 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1627,34 +1627,6 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp)
return (comp == image_comp);
}
-/**
- * fdt_check_no_at() - Check for nodes whose names contain '@'
- *
- * This checks the parent node and all subnodes recursively
- *
- * @fit: FIT to check
- * @parent: Parent node to check
- * Return: 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@'
- */
-static int fdt_check_no_at(const void *fit, int parent)
-{
- const char *name;
- int node;
- int ret;
-
- name = fdt_get_name(fit, parent, NULL);
- if (!name || strchr(name, '@'))
- return -EADDRNOTAVAIL;
-
- fdt_for_each_subnode(node, fit, parent) {
- ret = fdt_check_no_at(fit, node);
- if (ret)
- return ret;
- }
-
- return 0;
-}
-
int fit_check_format(const void *fit, ulong size)
{
int ret;
@@ -1676,27 +1648,10 @@ int fit_check_format(const void *fit, ulong size)
if (size == IMAGE_SIZE_INVAL)
size = fdt_totalsize(fit);
ret = fdt_check_full(fit, size);
- if (ret)
- ret = -EINVAL;
- /*
- * U-Boot stopped using unit addressed in 2017. Since libfdt
- * can match nodes ignoring any unit address, signature
- * verification can see the wrong node if one is inserted with
- * the same name as a valid node but with a unit address
- * attached. Protect against this by disallowing unit addresses.
- */
- if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
- ret = fdt_check_no_at(fit, 0);
-
- if (ret) {
- log_debug("FIT check error %d\n", ret);
- return ret;
- }
- }
if (ret) {
log_debug("FIT check error %d\n", ret);
- return ret;
+ return -EINVAL;
}
}
@@ -2092,8 +2047,6 @@ int fit_image_load(struct bootm_headers *images, ulong addr,
ret = fit_check_format(fit, IMAGE_SIZE_INVAL);
if (ret) {
printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret);
- if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL)
- printf("Signature checking prevents use of unit addresses (@) in nodes\n");
bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT);
return ret;
}
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 55518bed07e..9fdb649755a 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -368,9 +368,10 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
ubman, [fit_check_sign, '-f', efit, '-k', dtb],
1, 'Failed to verify required signature')
- # bootm catches it earlier, at fit_check_format() time
- msg = 'Signature checking prevents use of unit addresses (@) in nodes'
- run_bootm(sha_algo, 'evil kernel@', msg, False, efit)
+ # bootm catches it during verification: the exact-match lookup
+ # refuses to resolve the real image name to the inserted '@' node,
+ # so the data hash no longer matches and the kernel is rejected
+ run_bootm(sha_algo, 'evil kernel@', 'Bad Data Hash', False, efit)
# Try doing a clone of the images
efit = '%stest.evilclone.fit' % tmpdir
--
2.54.0
More information about the U-Boot
mailing list