[PATCH v2 1/3] image-fit.c: introduce CONTROL_DTB_AS_FIT config knob

Simon Glass sjg at chromium.org
Mon May 25 17:27:34 CEST 2026 

Hi Rasmus,

On 2026-05-19T22:54:57, Rasmus Villemoes <ravi at prevas.dk> wrote:
> image-fit.c: introduce CONTROL_DTB_AS_FIT config knob
>
> Having scripts embedded one way or the other in the U-Boot binary
> means they are automatically verified/trusted by whatever mechanism
> verifies U-Boot.
>
> Writing those scripts in the built-in environment leads to
> backslatitis and missing or wrong quoting and is generally not very
> readable or maintainable.
>
> Maintaining scripts in external files allows one
> to have both syntax highlighting and to some extent apply shellcheck
> on it (though U-Boot's shell is of course not quite POSIX sh, so some
> '#shellcheck disable' directives are needed). Getting those into the
> U-Boot binary is then a matter of having a suitable .dtsi file such as
>
> / {
>         images {
>                 default = 'boot';
>                 boot {
> [...]
>
> boot/Kconfig     | 9 +++++++++
>  boot/image-fit.c | 5 +++++
>  2 files changed, 14 insertions(+)

> diff --git a/boot/image-fit.c b/boot/image-fit.c
> @@ -1676,6 +1676,10 @@ int fit_check_format(const void *fit, ulong size)
>               return -ENOEXEC;
>       }
>
> +     /* For the control DTB to act as a FIT image, we only require an /images node. */
> +     if (CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) && fit == gd_fdt_blob())
> +             goto check_images_node;
> +

I wonder if you could avoid the goto by using a bool? E.g.

   /* control DTB is trusted */
   bool as_control = CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) &&
                     fit == gd_fdt_blob();

   if (!as_control && CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
           ...
   }
  ...

> diff --git a/boot/Kconfig b/boot/Kconfig
> @@ -103,6 +103,15 @@ config FIT_FULL_CHECK
> +config CONTROL_DTB_AS_FIT
> +     bool "Allow U-Boot's control DTB to act as FIT image"
> +     help
> +       Enable this to exempt U-Boot's control DTB from the sanity
> +       checks done to ensure FIT images are valid. This can for
> +       example be used to embed whole scripts in the control DTB,
> +       that can then be invoked using 'source ${fdtcontroladdr}'.
> +       See doc/develop/devicetree/control.rst for details.

Please note in the help that this is safe because the control DTB is
necessarily trusted (any verification covering U-Boot also covers it),
and that only the address matching gd->fdt_blob is exempted - not
arbitrary FIT loads.

Reviewed-by: Simon Glass <sjg at chromium.org>

Regards,
Simon

More information about the U-Boot mailing list