All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tom Rini <trini@konsulko.com>
To: Daniel Golle <daniel@makrotopia.org>
Cc: Simon Glass <sjg@chromium.org>,
	Ludwig Nussel <ludwig.nussel@siemens.com>,
	Anton Ivanov <anton@binarly.io>,
	Neil Armstrong <neil.armstrong@linaro.org>,
	Marek Vasut <marek.vasut@mailbox.org>,
	Quentin Schulz <quentin.schulz@cherry.de>,
	Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
	Randolph Sapp <rs@ti.com>, Francois Berder <fberder@outlook.fr>,
	u-boot@lists.denx.de
Subject: Re: [PATCH 3/3] test: fit: verify dm-verity roothash is covered by the config signature
Date: Mon, 13 Jul 2026 16:08:42 -0600	[thread overview]
Message-ID: <20260713220842.GY749385@bill-the-cat> (raw)
In-Reply-To: <4adbf45f0d33802ebd2afd627f639e47c6609e17.1783816074.git.daniel@makrotopia.org>

[-- Attachment #1: Type: text/plain, Size: 3338 bytes --]

On Sun, Jul 12, 2026 at 01:33:46AM +0100, Daniel Golle wrote:

> A dm-verity protected filesystem image is not hashed by U-Boot; its
> integrity is delegated to the kernel, which trusts the roothash taken
> from the FIT dm-verity subnode. For that chain of trust to hold, the
> roothash (and salt) must be part of the region covered by the
> configuration signature, otherwise an attacker can replace both the
> filesystem and the roothash while keeping the signature valid.
> 
> Add two independent checks of this property:
> 
>  - test/py/tests/test_fit_verity_sign.py signs a configuration that
>    references a filesystem image carrying a dm-verity subnode, then
>    confirms that tampering the roothash or the salt is rejected by
>    fit_check_sign. A control that tampers a byte known to be signed
>    proves the check can fail.
> 
>  - test/boot/fit_verity.c gains a runtime unit test that builds the
>    exact node list the configuration signature is computed over,
>    turns it into hashed regions and checks both that the roothash
>    bytes fall inside a signed region and that tampering them changes
>    the hash. It needs no private key, so it also runs on real devices
>    and uses the same hash path a device would.
> 
> To let the unit test build the signed-region node list, rename the
> config node-list helper to fit_config_get_signed_nodes() and expose it
> only when unit tests are built (VISIBLE_IF_UT), keeping it static in
> normal builds.
> 
> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
> ---
>  boot/image-fit-sig.c                  |  25 +++-
>  include/image.h                       |  25 ++++
>  test/boot/fit_verity.c                | 194 ++++++++++++++++++++++++++
>  test/py/tests/test_fit_verity_sign.py | 162 +++++++++++++++++++++
>  4 files changed, 399 insertions(+), 7 deletions(-)
>  create mode 100644 test/py/tests/test_fit_verity_sign.py
> 
> diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
> index c2f09885492..1181fefb55f 100644
> --- a/boot/image-fit-sig.c
> +++ b/boot/image-fit-sig.c
> @@ -340,8 +340,19 @@ static int fit_config_add_hash(const void *fit, int image_noffset,
>  	return 0;
>  }
>  
> +/*
> + * fit_config_get_signed_nodes() is internal, but the fit_verity unit test
> + * needs to build the same signed-region node list. Make it visible when unit
> + * tests are built and keep it static otherwise.
> + */
> +#if CONFIG_IS_ENABLED(UNIT_TEST)
> +#define VISIBLE_IF_UT
> +#else
> +#define VISIBLE_IF_UT static
> +#endif

I don't like this kind of "game", and I think it's why we generally just
don't mark functions as static that could be, if not for UNIT_TEST.
Finding a more general way to handle this would be good and an unrelated
clean-up (after verifying that for example, marking a ton of stuff as
now static results in a more compact binary or provides some obvious
gain).

My other comment would be that we should be doing like 
doc/develop/pytest//test_fit.rst for example and making sure we have
good and usable generated documentation (so using pydoc comments, not
"#" style). And FYI that usually means building and viewing the docs
locally, not just making sure CI passes, it can be tricky I've found to
get examples annotated correctly to render usefully.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

  reply	other threads:[~2026-07-13 22:08 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-12  0:33 [PATCH 0/3] boot: fit: authenticate the dm-verity roothash Daniel Golle
2026-07-12  0:33 ` [PATCH 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
2026-07-13 22:08   ` Tom Rini [this message]
2026-07-14 12:17     ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260713220842.GY749385@bill-the-cat \
    --to=trini@konsulko.com \
    --cc=anton@binarly.io \
    --cc=daniel@makrotopia.org \
    --cc=fberder@outlook.fr \
    --cc=ludwig.nussel@siemens.com \
    --cc=marek.vasut@mailbox.org \
    --cc=neil.armstrong@linaro.org \
    --cc=quentin.schulz@cherry.de \
    --cc=rs@ti.com \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    --cc=wolfgang.wallner@at.abb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.