[PATCH v3 7/7] test: py: add mkimage dm-verity round-trip test

Fri May 8 19:49:21 CEST 2026

Hi Daniel,

On 2026-05-07T16:40:15, Daniel Golle <daniel at makrotopia.org> wrote:
> test: py: add mkimage dm-verity round-trip test
>
> Add test/py/tests/test_fit_verity.py with two tests.
>
> Both tests are skipped if veritysetup is not installed on the host.
>
> Signed-off-by: Daniel Golle <daniel at makrotopia.org>
>
> test/py/tests/test_fit_verity.py | 145 +++++++++++++++++++++++++++++++++++++++
>  1 file changed, 145 insertions(+)

Reviewed-by: Simon Glass <sjg at chromium.org>

A few improvements below

> diff --git a/test/py/tests/test_fit_verity.py b/test/py/tests/test_fit_verity.py
> @@ -0,0 +1,145 @@
> +    # Without -E, mkimage should fail for dm-verity images
> +    dtc_args = f'-I dts -O dtb -i {tempdir}'
> +    with pytest.raises(Exception):
> +        utils.run_and_log(ubman,
> +                          [mkimage, '-D', dtc_args, '-f', its_file, fit_file])

pytest.raises(Exception) is too broad - it will swallow any failure
(FileNotFoundError, an mkimage segfault, etc.) and the test will
appear to pass. Please use utils.run_and_log_expect_exception() with
the specific retcode and a fragment of the expected diagnostic
('dm-verity requires external data') so we verify mkimage rejected the
image for the right reason.

> diff --git a/test/py/tests/test_fit_verity.py b/test/py/tests/test_fit_verity.py
> @@ -0,0 +1,145 @@
> +            dm-verity {
> +                algo = 'sha256';
> +                data-block-size = <4096>;
> +                hash-block-size = <4096>;
> +            };

Since v3 extends the block-count overflow check to cover
hash-block-size < data-block-size, and patch 5 calls out that
hash-start-block only equals num-data-blocks when the two sizes are
equal, how about a second positive case with mismatched sizes (e.g.
data 4096, hash 1024) so hash-start-block != num-data-blocks is
actually exercised.

> diff --git a/test/py/tests/test_fit_verity.py b/test/py/tests/test_fit_verity.py
> @@ -0,0 +1,145 @@
> +    # Build the FIT with external data (required for dm-verity)
> +    dtc_args = f'-I dts -O dtb -i {tempdir}'
> +    utils.run_and_log(ubman,
> +                      [mkimage, '-E', '-D', dtc_args, '-f', its_file, fit_file])

The test confirms mkimage writes back the four computed properties,
but never that the digest is correct for the data, so a regression
that produced a stable but wrong digest would still pass. Can you run
'veritysetup verify' against the external data and assert the digests
match?

Regards,
Simon