[PATCH v4 5/6] iminfo: also verify signatures

Fri May 15 15:37:25 CEST 2026

Hi Ludwig,

On 2026-05-13T14:08:10, Ludwig Nussel <ludwig.nussel at siemens.com> wrote:
> iminfo: also verify signatures
>
> The iminfo command already verifies hashes of images. This change
> also verifies signatures of configurations if enabled.
> If FIT_REQUIRE_CONFIG_SIGS is enabled, iminfo also fails if
> signatures are missing.
>
> Adjusts error output slightly to be on stderr
>
> Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>
>
> boot/image-fit.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  cmd/bootm.c      | 10 ++++++++++
>  include/image.h  |  8 ++++++++
>  3 files changed, 71 insertions(+)

> diff --git a/cmd/bootm.c b/cmd/bootm.c
> @@ -335,6 +335,16 @@ static int image_info(ulong addr)
> +             if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
> +                     int ret = fit_all_configurations_verify(hdr);
> +
> +                     if (ret != 0 && (ret != -ENOENT ||
> +                                      CONFIG_IS_ENABLED(FIT_REQUIRE_CONFIG_SIGS))) {
> +                             unmap_sysmem(hdr);
> +                             return 1;
> +                     }
> +             }

The point of the inline stub you added in image.h is to let the caller
drop this guard. Please remove the outer
CONFIG_IS_ENABLED(FIT_SIGNATURE) wrapper - when FIT_SIGNATURE is off
the stub returns 0 and the body falls through.

> diff --git a/boot/image-fit.c b/boot/image-fit.c
> @@ -1512,6 +1512,59 @@ int fit_all_image_verify(const void *fit)
> +#if FIT_IMAGE_ENABLE_VERIFY
> +int fit_all_configurations_verify(const void *fit)

The header guards the prototype with CONFIG_IS_ENABLED(FIT_SIGNATURE)
but the implementation uses FIT_IMAGE_ENABLE_VERIFY. They coincide for
target builds, but please use the same gate on both sides -
CONFIG_IS_ENABLED(FIT_SIGNATURE) seems right since this is
target-only.

> diff --git a/boot/image-fit.c b/boot/image-fit.c
> @@ -1512,6 +1512,59 @@ int fit_all_image_verify(const void *fit)
> + * Return:
> + * * 0, all configurations have valid signatures
> + * * -ENOENT, no signatures found
> + * * < 0, -errno
> + */

'no signatures found' is misleading... -ENOENT is only returned when
the /configurations node is missing or empty. When configurations
exist but none carry a signature, fit_config_verify() returns 0 and so
does this function. Please reword to 'no configurations found',
otherwise the iminfo caller's special-casing of -ENOENT doesn't mean
what a reader would expect.

> diff --git a/boot/image-fit.c b/boot/image-fit.c
> @@ -1512,6 +1512,59 @@ int fit_all_image_verify(const void *fit)
> +     /* Find configurations parent node offset */
> +     confs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH);
> +     if (confs_noffset < 0) {
> +             log_debug("Missing '%s' node: %s\n",
> +                       FIT_CONFS_PATH, fdt_strerror(confs_noffset));
> +             return r;
> +     }

fit_all_image_verify() above uses printf() for the matching "Can't
find images parent node" error and it is visible by default. Hiding
the equivalent here behind log_debug() means iminfo silently succeeds
(or silently fails with FIT_REQUIRE_CONFIG_SIGS) without telling the
user why. Please use log_info() or at least log_warning().

Regards,
Simon