git.ipfire.org Git - thirdparty/u-boot.git/commit

author	Simon Glass <simon.glass@canonical.com>
	Fri, 6 Mar 2026 01:20:09 +0000 (18:20 -0700)
committer	Tom Rini <trini@konsulko.com>
	Mon, 9 Mar 2026 15:49:50 +0000 (09:49 -0600)
commit	2092322b31cc8b1f8c9e2e238d1043ae0637b241
tree	4fc75ff4ae16fc2727d1c445370c43baddafde90	tree \| snapshot
parent	532a4804e965f001db6aec9ffc2ce0639eb3cf25	commit \| diff

boot: Add fit_config_get_hash_list() to build signed node list

The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.

Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.

Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.

Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.

Update the docs to cover this. The FIT spec can be updated separately.

Signed-off-by: Simon Glass <simon.glass@canonical.com>
Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <trini@konsulko.com>

boot/image-fit-sig.c		diff \| blob \| blame \| history
doc/usage/fit/signature.rst		diff \| blob \| blame \| history
test/py/tests/test_vboot.py		diff \| blob \| blame \| history