[PATCH v2] boot: Add fit_config_get_hash_list() to build signed node list
Tom Rini
trini at konsulko.com
Fri Mar 6 16:12:15 CET 2026
On Thu, Mar 05, 2026 at 06:20:09PM -0700, Simon Glass wrote:
> From: Simon Glass <simon.glass at canonical.com>
>
> The hashed-nodes property in a FIT signature node lists which FDT paths
> are included in the signature hash. It is intended as a hint so should
> not be used for verification.
>
> Add a function to build the node list from scratch by iterating the
> configuration's image references. Skip properties known not to be image
> references. For each image, collect the path plus all hash and cipher
> subnodes.
>
> Use the new function in fit_config_check_sig() instead of reading
> 'hashed-nodes'.
>
> Update the test_vboot kernel@ test case: fit_check_sign now catches the
> attack at signature-verification time (the @-suffixed node is hashed
> instead of the real one, causing a mismatch) rather than at
> fit_check_format() time.
>
> Update the docs to cover this. The FIT spec can be updated separately.
>
> Signed-off-by: Simon Glass <simon.glass at canonical.com>
Thanks again for looking in to this!
Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <trini at konsulko.com>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260306/9472d6c3/attachment.sig>
More information about the U-Boot
mailing list