[PATCH] FIT: Address Secure Boot Bypass for Signed FIT Images
Tom Rini
trini at konsulko.com
Thu Mar 5 19:07:20 CET 2026
On Mon, Mar 02, 2026 at 04:09:37PM -0600, Tom Rini wrote:
> There is a flaw in how U-Boot verifies and generates signatures for FIT
> images. To prevent mix and match style attacks, it is recommended to
> use signed configurations. How this is supposed to work is documented in
> doc/usage/fit/signature.rst.
>
> Crucially, the `hashed-nodes` property of the `signature` node contains
> which nodes of the FIT device tree were hashed as part of the signature
> and should be verified. However, this property itself is not part of the
> hash and can therefore be modified by an attacker. Furthermore, the
> signature only contains the name of each node and not the path in the
> device tree to the node.
>
> This patch reworks the code to address this specific oversight.
>
> Thanks to Apple Security Engineering and Architecture (SEAR) for
> reporting this issue and then coming up with a fix.
>
> Reported-by: Apple Security Engineering and Architecture (SEAR)
> Signed-off-by: Tom Rini <trini at konsulko.com>
I just want to thank everyone who has looked in this and worked out
another solution to the problem. This is why our policy is to have
things disclosed in public and worked out in public, and has been an
excellent demonstration of how open source is supposed to work.
Thank you all!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260305/a3e16e98/attachment.sig>
More information about the U-Boot
mailing list