[PATCH v2] boot: Add fit_config_get_hash_list() to build signed node list
Nussel, Ludwig
ludwig.nussel at siemens.com
Mon Mar 9 18:29:17 CET 2026
On Thu, 2026-03-05 at 18:20 -0700, Simon Glass wrote:
> From: Simon Glass <simon.glass at canonical.com>
>
> The hashed-nodes property in a FIT signature node lists which FDT paths
> are included in the signature hash. It is intended as a hint so should
> not be used for verification.
>
> Add a function to build the node list from scratch by iterating the
> configuration's image references. Skip properties known not to be image
> references. For each image, collect the path plus all hash and cipher
> subnodes.
>
> Use the new function in fit_config_check_sig() instead of reading
> 'hashed-nodes'.
While growing more grey hair trying to wrap my head around this I found
a mean trap. mkimage reads a 'sign-images' property to determine which
images to include in the hash regions. Without that property only
kernel, fdt and script properties are included at image generation time
(see fit_config_get_image_list()).
The new verification code works without such a weird hardcoded list. So
as soon as a FIT image has e.g. a ramdisk and it's not listed in 'sign-
images' the verification fails.
> +static int fit_config_add_hash(const void *fit, int image_noffset,
> + char **node_inc, int *count, int max_nodes,
> + char *buf, int *buf_used, int buf_len)
Took me a while to figure out that a function with the same name is
also in tools/image-host.c. Might make sense to pick a different one :-
)
cu
Ludwig
--
Ludwig Nussel
Siemens AG
www.siemens.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-machbunt.patch
Type: text/x-patch
Size: 2141 bytes
Desc: colorized hexdump showing regions for hash.patch
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260309/c3cf6b68/attachment.bin>
More information about the U-Boot
mailing list