[PATCH] cmd: fdt: keep control FDT during checksign
James Hilliard
james.hilliard1 at gmail.com
Fri Jun 26 02:18:21 CEST 2026
The fdt checksign command accepts an optional address for an FDT
containing public keys. It currently installs that blob as gd->fdt_blob
before verifying the FIT configuration.
This breaks verification with DM-backed crypto drivers which have not
probed yet, since the later probe path expects gd->fdt_blob to remain
U-Boot's control FDT. For example, an ECDSA verifier can be bound from
the control FDT but fail to probe after fdt checksign points
gd->fdt_blob at the key-only DTB.
Add a FIT config verification helper that takes the key blob explicitly
and use it from fdt checksign. This keeps gd->fdt_blob unchanged while
still allowing the command to verify against an external key DTB.
Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
---
boot/image-fit-sig.c | 8 +++++++-
cmd/fdt.c | 14 ++++++--------
include/image.h | 9 +++++++++
3 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 9b5ab754561..fe7ca6e4ab5 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -708,8 +708,14 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
return 0;
}
+int fit_config_verify_with_key_blob(const void *fit, int conf_noffset,
+ const void *key_blob)
+{
+ return fit_config_verify_required_keys(fit, conf_noffset, key_blob);
+}
+
int fit_config_verify(const void *fit, int conf_noffset)
{
- return fit_config_verify_required_keys(fit, conf_noffset,
+ return fit_config_verify_with_key_blob(fit, conf_noffset,
gd_fdt_blob());
}
diff --git a/cmd/fdt.c b/cmd/fdt.c
index d6d5b9fdfd2..7e2abf96103 100644
--- a/cmd/fdt.c
+++ b/cmd/fdt.c
@@ -719,22 +719,19 @@ static int do_fdt(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
} else if (strncmp(argv[1], "che", 3) == 0) {
int cfg_noffset;
int ret;
- unsigned long addr;
- struct fdt_header *blob;
+ struct fdt_header *key_blob;
if (!working_fdt)
return CMD_RET_FAILURE;
if (argc > 2) {
- addr = hextoul(argv[2], NULL);
- blob = map_sysmem(addr, 0);
+ key_blob = map_sysmem(hextoul(argv[2], NULL), 0);
} else {
- blob = (struct fdt_header *)gd->fdt_blob;
+ key_blob = (struct fdt_header *)gd->fdt_blob;
}
- if (!fdt_valid(&blob))
+ if (!fdt_valid(&key_blob))
return 1;
- gd->fdt_blob = blob;
cfg_noffset = fit_conf_get_node(working_fdt, NULL);
if (cfg_noffset < 0) {
printf("Could not find configuration node: %s\n",
@@ -742,7 +739,8 @@ static int do_fdt(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
return CMD_RET_FAILURE;
}
- ret = fit_config_verify(working_fdt, cfg_noffset);
+ ret = fit_config_verify_with_key_blob(working_fdt, cfg_noffset,
+ key_blob);
if (ret == 0)
return CMD_RET_SUCCESS;
else
diff --git a/include/image.h b/include/image.h
index 9c8a746d576..4b3c9c87bf5 100644
--- a/include/image.h
+++ b/include/image.h
@@ -1461,11 +1461,20 @@ int fit_image_verify_with_data(const void *fit, int image_noffset,
int fit_image_verify(const void *fit, int noffset);
#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
int fit_config_verify(const void *fit, int conf_noffset);
+int fit_config_verify_with_key_blob(const void *fit, int conf_noffset,
+ const void *key_blob);
#else
static inline int fit_config_verify(const void *fit, int conf_noffset)
{
return 0;
}
+
+static inline int fit_config_verify_with_key_blob(const void *fit,
+ int conf_noffset,
+ const void *key_blob)
+{
+ return 0;
+}
#endif
int fit_all_image_verify(const void *fit);
int fit_config_decrypt(const void *fit, int conf_noffset);
--
2.53.0
More information about the U-Boot
mailing list