[PATCH] boot: Add fit_config_get_hash_list() to build signed node list
Tom Rini
trini at konsulko.com
Fri Mar 6 16:10:56 CET 2026
On Thu, Mar 05, 2026 at 06:22:15PM -0700, Simon Glass wrote:
> Hi Tom,
>
> On Thu, 5 Mar 2026 at 12:38, Tom Rini <trini at konsulko.com> wrote:
> >
> > On Wed, Mar 04, 2026 at 06:51:48AM -0700, Simon Glass wrote:
> >
> > > From: Simon Glass <simon.glass at canonical.com>
> > >
> > > The hashed-nodes property in a FIT signature node lists which FDT paths
> > > are included in the signature hash. It is intended as a hint so should
> > > not be used for verification.
> > >
> > > Add a function to build the node list from scratch by iterating the
> > > configuration's image references. Skip properties known not to be image
> > > references. For each image, collect the path plus all hash and cipher
> > > subnodes.
> > >
> > > Use the new function in fit_config_check_sig() instead of reading
> > > 'hashed-nodes'.
> > >
> > > Update the docs to cover this. The FIT spec can be updated separately.
> > >
> > > Signed-off-by: Simon Glass <simon.glass at canonical.com>
> >
> > This breaks:
> > FAILED test/py/tests/test_vboot.py::test_vboot[sha1-basic-sha1--None-False-True-False-False] - AssertionError
> > unfortunately.
>
> Yes, as the messages change. I'll send a v2.
Thanks.
> What do you think about the 'No images in config' message? I doubt it
> would happen in practice so we could perhaps drop it.
I think it's best to inform the user whenever possible, so might as well
keep it.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260306/54fe4706/attachment.sig>
More information about the U-Boot
mailing list