[PATCH v2 1/4] qemu: overlay signature nodes
Simon Glass
sjg at chromium.org
Mon May 4 14:26:04 CEST 2026
Hi Ludwig,
On 2026-04-30T12:25:59, Ludwig Nussel <ludwig.nussel at siemens.com> wrote:
> qemu: overlay signature nodes
>
> The keys trusted for FIT signature verification are supposed to be
> embedded in the device tree built into u-boot. When running in Qemu it's
> convenient to use the device tree provided by the VM which doesn't know
> about signatures though. So merge the signature nodes at run time.
>
> Needs
> CONFIG_OF_OMIT_DTB=n
> CONFIG_OF_LIBFDT_OVERLAY=y
>
> Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>
>
> board/emulation/qemu-arm/qemu-arm.c | 33 ++++++++++++++++++++++++++++++++-
> 1 file changed, 32 insertions(+), 1 deletion(-)
> diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c
> @@ -147,7 +147,38 @@ int dram_init_banksize(void)
> int board_fdt_blob_setup(void **fdtp)
> {
> /* QEMU loads a generated DTB for us at the start of RAM. */
> - *fdtp = (void *)CFG_SYS_SDRAM_BASE;
> + void *qemu_fdt = (void *)CFG_SYS_SDRAM_BASE;
> + int ret;
> +
> + if (!*fdtp)
> + goto out;
This runs the opposite direction to qemu-sbsa, which uses the U-Boot
DT as the base and overlays the QEMU DT onto it (see
fdtdec_board_setup() in board/emulation/qemu-sbsa/qemu-sbsa.c). Done
this way, any node in U-Boot's built-in DT that shares a name with a
QEMU node (/cpus, /memory, /chosen, ...) will have its properties
merged into QEMU's, potentially clobbering the hardware description.
If this is correct, please explain in the commit message why the merge
runs in this direction.
> diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c
> @@ -147,7 +147,38 @@ int dram_init_banksize(void)
> + if (!CONFIG_IS_ENABLED(OF_LIBFDT_OVERLAY)) {
> + log_err("found built-in dt but CONFIG_OF_LIBFDT_OVERLAY isn't enabled");
> + goto out;
> + }
> +
> + if (fdt_check_header(*fdtp) != 0) {
> + log_err("invalid built-in fdt, skipped.\n");
> + goto out;
> + }
Every error path falls through to out: which assigns qemu_fdt and
returns 0 — we silently continue with a QEMU DT that has no signature
node. Doesn't this defeat the purpose of the series? - with
FIT_SIGNATURE_REQUIRED disabled, a board can boot unsigned FITs
without anyone noticing the merge failed. Please return a -ve error
here rather than failing open.
Also, please express the CONFIG_OF_LIBFDT_OVERLAY=y requirement as
depends on / imply / select in Kconfig rather than a runtime log_err()
- qemu_arm*_defconfig does not set it.
> diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c
> @@ -147,7 +147,38 @@ int dram_init_banksize(void)
> + ret = fdt_increase_size(qemu_fdt, 1024 + fdt_totalsize(*fdtp));
> + if (ret) {
> + log_err("Failed to resize overlay: %d", ret);
> + goto out;
> + }
> +
> + ret = fdt_overlay_apply_node(qemu_fdt, 0, (void *)*fdtp, 0);
> + if (ret) {
> + log_err("Failed to apply overlay: %d\n", ret);
> + goto out;
> + }
Can you check that qemu_fdt is valid, like sbsa?
libfdt error codes are more useful via fdt_strerror(ret) than as raw
%d - please switch over.
Style nits on the log_err strings: inconsistent newlines ("isn't
enabled" and "Failed to resize overlay: %d" have none, the others do),
and 'skipped.' has a period followed by \n. Please make them uniform -
every log_err() should end in \n with no trailing period.
> diff --git a/board/emulation/qemu-arm/qemu-arm.c b/board/emulation/qemu-arm/qemu-arm.c
> @@ -147,7 +147,38 @@ int dram_init_banksize(void)
> + log_debug("found built-in dt %p merging into qemu's at %p...\n", *fdtp, qemu_fdt);
Minor wording: "found built-in dt, merging into QEMU's at %p" reads
better. Also please use one term consistently ("DT"?) - you mix "dt",
"fdt" and "DT" across these messages.
I'll also mention [1] here as I see that as a more generic solution
(but to be clear, we should still take this patch).
Regards,
Simon
[1] https://patchew.org/QEMU/20250405191352.2597585-1-sjg@chromium.org/
More information about the U-Boot
mailing list