[PATCH 1/2] image-board.c: exempt gd->fdt_blob from fit_check_format() check

Fri May 15 15:06:07 CEST 2026

Hi Rasmus,

On 2026-05-12T16:16:29, Rasmus Villemoes <ravi at prevas.dk> wrote:
> image-board.c: exempt gd->fdt_blob from fit_check_format() check
>
> Having scripts embedded one way or the other in the U-Boot binary
> means they are automatically verified/trusted by whatever mechanism
> verifies U-Boot.
>
> Writing those scripts in the built-in environment leads to
> backslatitis and missing or wrong quoting and is generally not very
> readable or maintainable.
>
> Maintaining scripts in external files allows one
> to have both syntax highlighting and to some extent apply shellcheck
> on it (though U-Boot's shell is of course not quite POSIX sh, so some
> '#shellcheck disable' directives are needed). Getting those into the
> U-Boot binary is then a matter of having a suitable .dtsi file such as
>
> / {
>         images {
>                 default = 'boot';
>                 boot {
> [...]
>
> boot/image-board.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Makes sense, and a nice feature.

> diff --git a/boot/image-board.c b/boot/image-board.c
> @@ -1037,7 +1037,7 @@ int image_locate_script(void *buf, int size, const char *fit_uname,
>                       goto exit_image_format;
>               } else {
>                       fit_hdr = buf;
> -                     if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
> +                     if (fit_hdr != gd->fdt_blob && fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {
>                               puts("Bad FIT image format\n");
>                               return 1;
>                       }

Please add a code comment explaining why the control DTB is exempt - a
future reader running git blame will be puzzled by the pointer
comparison. Something like 'gd->fdt_blob has already been validated by
the bootloader and is by definition trusted, so we skip the strict FIT
format checks (no description/timestamp, presence of unit-addresses,
...) for that buffer'.

This also skips fdt_check_header() and fdt_check_full(). Fine for the
control DTB, but please note in the commit message that more than the
no-@ check is bypassed - the message currently singles out no-@ as
'not possible to get around', implying description/timestamp could be
worked around in the .dtsi, when in fact those are skipped too.

> Except of course that the control DTB is in fact not quite a FIT
> image. The lack of timestamp and description properties could
> potentially be worked around, but the no-@ check is not possible to
> get around. But since the control dtb is by definition trusted, we can
> just excempt that particular address from the strict check.

Typo: excempt -> exempt

> diff --git a/boot/image-board.c b/boot/image-board.c
> @@ -1037,7 +1037,7 @@ int image_locate_script(void *buf, int size, const char *fit_uname,
> +                     if (fit_hdr != gd->fdt_blob && fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) {

Would it be cleaner to push the trusted-FIT notion into
fit_check_format() itself (e.g. a sibling fit_check_format_trusted()
that skips the strict-format / no-@ pieces)? The pointer-equality test
works but feels out of place in image_locate_script(), and the same
need will likely show up the next time someone wants to
source-from-DTB elsewhere, such as an FPGA image. What do you think?

Regards,
Simon