All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tom Rini <trini@konsulko.com>
To: Daniel Golle <daniel@makrotopia.org>
Cc: Simon Glass <sjg@chromium.org>,
	Ludwig Nussel <ludwig.nussel@siemens.com>,
	Anton Ivanov <anton@binarly.io>,
	Neil Armstrong <neil.armstrong@linaro.org>,
	Marek Vasut <marek.vasut@mailbox.org>,
	Quentin Schulz <quentin.schulz@cherry.de>,
	Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
	Randolph Sapp <rs@ti.com>, Francois Berder <fberder@outlook.fr>,
	u-boot@lists.denx.de
Subject: Re: [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature
Date: Mon, 13 Jul 2026 16:08:13 -0600	[thread overview]
Message-ID: <20260713220813.GX749385@bill-the-cat> (raw)
In-Reply-To: <81cb6eed897871b3548e81ee63502b65f797c44a.1783816074.git.daniel@makrotopia.org>

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

On Sun, Jul 12, 2026 at 01:33:21AM +0100, Daniel Golle wrote:

> A dm-verity protected filesystem image is not hashed by U-Boot when it
> is loaded; its integrity is delegated to the kernel, which validates the
> filesystem on the fly against the roothash taken from the FIT dm-verity
> subnode. The roothash is therefore the sole integrity anchor for the
> filesystem, yet fit_config_add_hash() only added the image node, its
> hash subnodes and its cipher subnode to the signed region, leaving the
> dm-verity subnode (roothash, salt and block parameters) unsigned.
> 
> An attacker able to rewrite the boot medium could then replace both the
> filesystem and the roothash, recompute a matching dm-verity tree and
> keep the configuration signature valid, defeating verified boot for the
> root filesystem.
> 
> Add the dm-verity subnode to the list of nodes covered by the
> configuration signature, both when signing (tools/image-host.c) and when
> verifying (boot/image-fit-sig.c), so the roothash and salt are
> authenticated together with the rest of the configuration.
> 
> Signed-off-by: Daniel Golle <daniel@makrotopia.org>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

  reply	other threads:[~2026-07-13 22:08 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-12  0:33 [PATCH 0/3] boot: fit: authenticate the dm-verity roothash Daniel Golle
2026-07-12  0:33 ` [PATCH 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-13 22:08   ` Tom Rini [this message]
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17     ` Simon Glass
2026-07-14 16:46       ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713220813.GX749385@bill-the-cat \
    --to=trini@konsulko.com \
    --cc=anton@binarly.io \
    --cc=daniel@makrotopia.org \
    --cc=fberder@outlook.fr \
    --cc=ludwig.nussel@siemens.com \
    --cc=marek.vasut@mailbox.org \
    --cc=neil.armstrong@linaro.org \
    --cc=quentin.schulz@cherry.de \
    --cc=rs@ti.com \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    --cc=wolfgang.wallner@at.abb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.