[PATCH v2 1/3] image-fit.c: introduce CONTROL_DTB_AS_FIT config knob

Simon Glass sjg at chromium.org
Wed May 27 06:09:49 CEST 2026 

Hi Rasmus,

On Tue, 26 May 2026 at 23:12, Rasmus Villemoes <ravi at prevas.dk> wrote:
>
> On Mon, May 25 2026, Simon Glass <sjg at chromium.org> wrote:
>
> > Hi Rasmus,
> >
> > On 2026-05-19T22:54:57, Rasmus Villemoes <ravi at prevas.dk> wrote:
> >> image-fit.c: introduce CONTROL_DTB_AS_FIT config knob
> >>
> >> Having scripts embedded one way or the other in the U-Boot binary
> >> means they are automatically verified/trusted by whatever mechanism
> >> verifies U-Boot.
> >>
> >> Writing those scripts in the built-in environment leads to
> >> backslatitis and missing or wrong quoting and is generally not very
> >> readable or maintainable.
> >>
> >> Maintaining scripts in external files allows one
> >> to have both syntax highlighting and to some extent apply shellcheck
> >> on it (though U-Boot's shell is of course not quite POSIX sh, so some
> >> '#shellcheck disable' directives are needed). Getting those into the
> >> U-Boot binary is then a matter of having a suitable .dtsi file such as
> >>
> >> / {
> >>         images {
> >>                 default = 'boot';
> >>                 boot {
> >> [...]
> >>
> >> boot/Kconfig     | 9 +++++++++
> >>  boot/image-fit.c | 5 +++++
> >>  2 files changed, 14 insertions(+)
> >
> >> diff --git a/boot/image-fit.c b/boot/image-fit.c
> >> @@ -1676,6 +1676,10 @@ int fit_check_format(const void *fit, ulong size)
> >>               return -ENOEXEC;
> >>       }
> >>
> >> +     /* For the control DTB to act as a FIT image, we only require an /images node. */
> >> +     if (CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) && fit == gd_fdt_blob())
> >> +             goto check_images_node;
> >> +
> >
> > I wonder if you could avoid the goto by using a bool? E.g.
> >
> >    /* control DTB is trusted */
> >    bool as_control = CONFIG_IS_ENABLED(CONTROL_DTB_AS_FIT) &&
> >                      fit == gd_fdt_blob();
> >
> >    if (!as_control && CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
> >            ...
> >    }
> >   ...
>
> Not really. I mean, sure, I could avoid the goto, but it's not just the
> FIT_FULL_CHECK I want to skip, it is also the 'description' and
> 'timestamp' checks, so using that bool I'd have to modify those if
> statements as well. And I think the goto is actually the cleanest
> approach.
>
> The reason I didn't lift the 'check for an /images node' up and inserted
> the 'fit == gd_fdt_blob()' after, doing an early return, is that I think
> in the general case, the FIT_FULL_CHECK doing the basic sanity checks of
> the dtb structure itself must be done before we start asking questions
> about which nodes or properties it has.
>
> So I did go back and forth a little, but in the end I felt that this was
> the cleanest and most focused addition.

OK I really cannot countenance a 'goto' in the FIT code, one of the
foundations of verified boot. It's OK for error handling, but this is
no' that.

So how about splitting out the middle of fit_check_format() into a new
function that you call conditionally?

>
>
> >> diff --git a/boot/Kconfig b/boot/Kconfig
> >> @@ -103,6 +103,15 @@ config FIT_FULL_CHECK
> >> +config CONTROL_DTB_AS_FIT
> >> +     bool "Allow U-Boot's control DTB to act as FIT image"
> >> +     help
> >> +       Enable this to exempt U-Boot's control DTB from the sanity
> >> +       checks done to ensure FIT images are valid. This can for
> >> +       example be used to embed whole scripts in the control DTB,
> >> +       that can then be invoked using 'source ${fdtcontroladdr}'.
> >> +       See doc/develop/devicetree/control.rst for details.
> >
> > Please note in the help that this is safe because the control DTB is
> > necessarily trusted (any verification covering U-Boot also covers it),
> > and that only the address matching gd->fdt_blob is exempted - not
> > arbitrary FIT loads.
>
> OK. Something like
>
>        Enable this to exempt U-Boot's control DTB from the sanity checks
>        done to ensure FIT images are valid. This can for example be used
>        to embed whole scripts in the control DTB, that can then be
>        invoked using 'source ${fdtcontroladdr}'. In a secure boot setup,
>        this is safe, as the control DTB is necessarily covered by any
>        mechanism verifying U-Boot and can therefore be trusted. This
>        only affects the case where the image being checked is
>        gd->fdt_blob. See doc/develop/devicetree/control.rst for details.
>

Perfect, thanks

Regards,
Simon

More information about the U-Boot mailing list