[PATCH v2 1/3] image-fit.c: introduce CONTROL_DTB_AS_FIT config knob
Rasmus Villemoes
ravi at prevas.dk
Tue May 26 23:12:49 CEST 2026
On Mon, May 25 2026, Simon Glass <sjg at chromium.org> wrote:
> Hi Rasmus,
>
> On 2026-05-19T22:54:57, Rasmus Villemoes <ravi at prevas.dk> wrote:
>> image-fit.c: introduce CONTROL_DTB_AS_FIT config knob
>>
>> Having scripts embedded one way or the other in the U-Boot binary
>> means they are automatically verified/trusted by whatever mechanism
>> verifies U-Boot.
>>
>> Writing those scripts in the built-in environment leads to
>> backslatitis and missing or wrong quoting and is generally not very
>> readable or maintainable.
>>
>> Maintaining scripts in external files allows one
>> to have both syntax highlighting and to some extent apply shellcheck
>> on it (though U-Boot's shell is of course not quite POSIX sh, so some
>> '#shellcheck disable' directives are needed). Getting those into the
>> U-Boot binary is then a matter of having a suitable .dtsi file such as
>>
>> / {
>> images {
>> default = 'boot';
>> boot {
>> [...]
>>
>> boot/Kconfig | 9 +++++++++
>> boot/image-fit.c | 5 +++++
>> 2 files changed, 14 insertions(+)
>
>> diff --git a/boot/image-fit.c b/boot/image-fit.c
>> @@ -1676,6 +1676,10 @@ int fit_check_format(const void *fit, ulong size)
>> return -ENOEXEC;
>> }
>>
>> + /* For the control DTB to act as a FIT image, we only require an /images node. */
>> + if (CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) && fit == gd_fdt_blob())
>> + goto check_images_node;
>> +
>
> I wonder if you could avoid the goto by using a bool? E.g.
>
> /* control DTB is trusted */
> bool as_control = CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) &&
> fit == gd_fdt_blob();
>
> if (!as_control && CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
> ...
> }
> ...
Not really. I mean, sure, I could avoid the goto, but it's not just the
FIT_FULL_CHECK I want to skip, it is also the 'description' and
'timestamp' checks, so using that bool I'd have to modify those if
statements as well. And I think the goto is actually the cleanest
approach.
The reason I didn't lift the 'check for an /images node' up and inserted
the 'fit == gd_fdt_blob()' after, doing an early return, is that I think
in the general case, the FIT_FULL_CHECK doing the basic sanity checks of
the dtb structure itself must be done before we start asking questions
about which nodes or properties it has.
So I did go back and forth a little, but in the end I felt that this was
the cleanest and most focused addition.
>> diff --git a/boot/Kconfig b/boot/Kconfig
>> @@ -103,6 +103,15 @@ config FIT_FULL_CHECK
>> +config CONTROL_DTB_AS_FIT
>> + bool "Allow U-Boot's control DTB to act as FIT image"
>> + help
>> + Enable this to exempt U-Boot's control DTB from the sanity
>> + checks done to ensure FIT images are valid. This can for
>> + example be used to embed whole scripts in the control DTB,
>> + that can then be invoked using 'source ${fdtcontroladdr}'.
>> + See doc/develop/devicetree/control.rst for details.
>
> Please note in the help that this is safe because the control DTB is
> necessarily trusted (any verification covering U-Boot also covers it),
> and that only the address matching gd->fdt_blob is exempted - not
> arbitrary FIT loads.
OK. Something like
Enable this to exempt U-Boot's control DTB from the sanity checks
done to ensure FIT images are valid. This can for example be used
to embed whole scripts in the control DTB, that can then be
invoked using 'source ${fdtcontroladdr}'. In a secure boot setup,
this is safe, as the control DTB is necessarily covered by any
mechanism verifying U-Boot and can therefore be trusted. This
only affects the case where the image being checked is
gd->fdt_blob. See doc/develop/devicetree/control.rst for details.
Rasmus
More information about the U-Boot
mailing list