From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>
Cc: "Simon Glass" <sjg@chromium.org>,
"Quentin Schulz" <quentin.schulz@cherry.de>,
"Kory Maincent" <kory.maincent@bootlin.com>,
"Mattijs Korpershoek" <mkorpershoek@kernel.org>,
"Martin Schwan" <m.schwan@phytec.de>,
"Anshul Dalal" <anshuld@ti.com>,
"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
"Sughosh Ganu" <sughosh.ganu@arm.com>,
"Aristo Chen" <jj251510319013@gmail.com>,
"牛 志宏" <Zone.Niuzh@hotmail.com>,
"Marek Vasut" <marek.vasut+renesas@mailbox.org>,
"Heinrich Schuchardt" <xypron.glpk@gmx.de>,
"Wolfgang Wallner" <wolfgang.wallner@at.abb.com>,
"Frank Wunderlich" <frank-w@public-files.de>,
"David Lechner" <dlechner@baylibre.com>,
"Osama Abdelkader" <osama.abdelkader@gmail.com>,
"Mikhail Kshevetskiy" <mikhail.kshevetskiy@iopsys.eu>,
"Michael Trimarchi" <michael@amarulasolutions.com>,
"Miquel Raynal" <miquel.raynal@bootlin.com>,
"Andrew Goodbody" <andrew.goodbody@linaro.org>,
"Yegor Yefremov" <yegorslists@googlemail.com>,
"Mike Looijmans" <mike.looijmans@topic.nl>,
"Weijie Gao" <weijie.gao@mediatek.com>,
"Alexander Stein" <alexander.stein@ew.tq-group.com>,
"Neil Armstrong" <neil.armstrong@linaro.org>,
"Mayuresh Chitale" <mchitale@ventanamicro.com>,
"Paul HENRYS" <paul.henrys_ext@softathome.com>,
u-boot@lists.denx.de, "John Crispin" <john@phrozen.org>,
"Paul Spooren" <mail@aparcar.org>,
"Marek Vasut" <marek.vasut@mailbox.org>
Subject: Re: [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading
Date: Tue, 24 Feb 2026 00:37:19 +0000 [thread overview]
Message-ID: <aZzyv1sUrnm2PKBc@makrotopia.org> (raw)
In-Reply-To: <20260218203314.GG3233182@bill-the-cat>
On Wed, Feb 18, 2026 at 02:33:14PM -0600, Tom Rini wrote:
> On Wed, Feb 18, 2026 at 05:25:20PM +0000, Daniel Golle wrote:
> > On Wed, Feb 18, 2026 at 09:58:39AM -0600, Tom Rini wrote:
> > > On Tue, Feb 17, 2026 at 10:25:13PM +0000, Daniel Golle wrote:
> > > > [...]
> > > > As the existing code expects the whole image to reside in RAM and only
> > > > take care of validation, decompression and relocation, I had to extend
> > > > image-fit.c to use the image_loader to only load the parts *from
> > > > storage* which are actually needed, and if possible, load them directly
> > > > to where they are supposed to go. Imho, the code is simple enough to
> > > > just look at it:
> > > >
> > > > https://patchwork.ozlabs.org/project/uboot/patch/ab7837536e4567b90d7cb662984dd7e637ef4361.1771275704.git.daniel@makrotopia.org/
> > > >
> > > > At this stage (because I first wanted to discuss the general approach)
> > > > the patch still skips some parts of image-fit.c, which is obviously not
> > > > acceptable for upstream inclusion, but good enough to demonstrate the
> > > > idea and also try it in practise.
> > > >
> > > > Ie. the 'goto storage_loaded' has to go away and all of image-fit.c has
> > > > to be changed to equally work on RAM-backed or storage-backed images.
> > >
> > > I was talking with Marek to recall some of the details about what we can
> > > and can't (easily..) do today with external data and he remidned me of
> > > something. So one big concern here is that we have to be care to not
> > > re-open things like:
> > > https://nvd.nist.gov/vuln/detail/CVE-2023-39902
> > > or otherwise allow for mix-and-match type attacks by having some sort of
> > > partial reads allowed.
> > >
> > > So a specialized partial-read of FIT images, in full U-Boot (not just
> > > SPL), is something to figure out, but may also invalidate one of your
> > > design goals because you do have to authenticate the whole image, unless
> > > there's something both secure and clever I'm missing.
> >
> > The idea here is to have one or more IH_TYPE_FILESYSTEM subimages which
> > do not have hash-* subnodes at all, hence, if there is anyway nothing to
> > validate and they do not need to be loaded to RAM (ie. no load address),
> > they can be skipped entirely, even if listed as 'loadable' (which is how
> > the parser in the kernel currently knows which filesystem image to map;
> > we could introduce a new property different from 'loadables', of course).
> > Everything else which is part of the selected configuration node of
> > course has to be loaded and authenticated.
> >
> > To compensate for the authentication of IH_TYPE_FILESYSTEM subimages not
> > done by U-Boot before launching Linux, the dm-verity root hash passed to
> > Linux via cmdline should be part of the signed configuration, eg. by
> > including an image of IH_TYPE_SCRIPT modifying 'bootargs', or by coming
> > up with a new image type specifically for that purpose. Or, even better
> > but a bit more involved, include the dm-verity roothash in the ITS spec
> > instead of the hash-* nodes.
> >
> > In terms of security, anyway only dm-verity makes sense, as there is no
> > point in validating the filesystem subimage if what is validated then
> > isn't also what is used -- one could quickly swap the storage device
> > after U-Boot has launched the kernel and before Linux mounts the rootfs
> > (from storage!) ending up with a different rootfs than what U-Boot had
> > previously validated when authenticating the image.
>
> Right, OK. What I was thinking about, but Marek corrected me on, is
> about where we may or may not have problems about authentication. So
> long as we start by reading in the whole of the FIT (which excludes
> external data, being external) and start the authentication with that,
> we should be fine.
>
> I have some other questions / concerns still, but there's also still a
> number of other emails I sent that're outstanding. So, can you please
> link to an itb that would be making use of your proposed feature? Being
> able to examine that would help me be more precise in my own questions,
> thanks.
I don't have any option at hand to host larger binaries anywhere public.
If you know any service which allows to do this for free without
requiring a complicated and personal-data-exposing sign-up procedure,
please let me know, I'll use that.
Meanwhile, as the content of the large data blobs probably anyway
doesn't matter for this discussion, here is the decompiled FIT structure:
/dts-v1/;
/ {
timestamp = <0x69987422>;
description = "ARM64 OpenWrt FIT (Flattened Image Tree)";
#address-cells = <0x01>;
images {
kernel-1 {
data-size = <0x5e4cdb>;
data-position = <0x4000>;
description = "ARM64 OpenWrt Linux-6.12.71";
type = "kernel";
arch = "arm64";
os = "linux";
compression = "gzip";
load = <0x44000000>;
entry = <0x44000000>;
hash-1 {
value = <0x5e864feb>;
algo = "crc32";
};
hash-2 {
value = <0x1029dbef 0xda4938de 0x16eda8c5 0x9c0fffc2 0x1a4c458f>;
algo = "sha1";
};
};
fdt-1 {
data-size = <0x7d10>;
data-position = <0x5e9000>;
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree blob";
type = "flat_dt";
load = <0x43f00000>;
arch = "arm64";
compression = "none";
hash-1 {
value = <0x331fdfaf>;
algo = "crc32";
};
hash-2 {
value = <0x4930ba36 0xe594a76b 0xcf6ba90b 0xa8c92ae5 0xdc68ed66>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-emmc {
data-size = <0x405>;
data-position = <0x5f1000>;
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-emmc";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0x59209fd3>;
algo = "crc32";
};
hash-2 {
value = <0xb76ad9bb 0x9619b789 0x8e920f02 0x27be0a3a 0x6154b007>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-nand {
data-size = <0x46c>;
data-position = "", "_ ";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-nand";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xaeedea4c>;
algo = "crc32";
};
hash-2 {
value = <0xc47f4473 0xcf3eb99a 0x284f63a0 0xb508857d 0xed829f97>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-nor {
data-size = <0x4be>;
data-position = "", "_0";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-nor";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xa3898f18>;
algo = "crc32";
};
hash-2 {
value = <0xc45f4ad9 0x30273fbc 0x6721b946 0xa380aca1 0xc9bbd5a4>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-sd {
data-size = <0x36b>;
data-position = "", "_@";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-sd";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xd0cb47a7>;
algo = "crc32";
};
hash-2 {
value = <0xb62232a8 0x23113c8a 0xc6973ef9 0x1748f275 0xe6e423fc>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-respeaker-2mics {
data-size = <0x5b2>;
data-position = "", "_P";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-respeaker-2mics";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xc8d3f33c>;
algo = "crc32";
};
hash-2 {
value = <0x29e3a558 0x75e9a9d8 0x34d88eaa 0x5c134e78 0xa05deef9>;
algo = "sha1";
};
};
rootfs-1 {
data-size = <0x1005000>;
data-position = "", "_`";
description = "ARM64 OpenWrt bananapi_bpi-r3 rootfs";
type = "filesystem";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xde4b8717>;
algo = "crc32";
};
hash-2 {
value = <0x13535da6 0x7fa95cda 0x9331dc1 0x1cd01dd 0xaea3701e>;
algo = "sha1";
};
dm-verity {
block-size = <0x1000>;
data-blocks = <0xfe3>;
algo = "sha256";
root-hash = "61b01a3b94d7e1166ed34bbdf60a65944f49fcebced531d5cdc98b8b65b2a898";
salt = "73a9020ed5a88a54f8392dd1b141a6def3072461061275db72ef18e6e1851c6c";
};
};
};
configurations {
default = "config-mt7986a-bananapi-bpi-r3";
config-mt7986a-bananapi-bpi-r3 {
description = "OpenWrt bananapi_bpi-r3";
kernel = "kernel-1";
fdt = "fdt-1";
loadables = "rootfs-1";
};
mt7986a-bananapi-bpi-r3-emmc {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-emmc";
fdt = "fdt-mt7986a-bananapi-bpi-r3-emmc";
};
mt7986a-bananapi-bpi-r3-nand {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-nand";
fdt = "fdt-mt7986a-bananapi-bpi-r3-nand";
};
mt7986a-bananapi-bpi-r3-nor {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-nor";
fdt = "fdt-mt7986a-bananapi-bpi-r3-nor";
};
mt7986a-bananapi-bpi-r3-sd {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-sd";
fdt = "fdt-mt7986a-bananapi-bpi-r3-sd";
};
mt7986a-bananapi-bpi-r3-respeaker-2mics {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-respeaker-2mics";
fdt = "fdt-mt7986a-bananapi-bpi-r3-respeaker-2mics";
};
};
};
next prev parent reply other threads:[~2026-02-24 0:47 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 21:21 [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 01/20] boot: add image_loader on-demand loading abstraction Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 02/20] boot: image-loader: add block device backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 03/20] mtd: add mtd_read_skip_bad() helper Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 04/20] boot: image-loader: add MTD backend Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 05/20] cmd: ubi: export ubi_find_volume() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 06/20] mtd: set flash_node on DT-created partitions Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 07/20] cmd: ubi: add ubi_part_from_mtd() Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 08/20] boot: image-loader: add UBI volume backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:51 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-23 19:24 ` Daniel Golle
2026-02-23 19:30 ` Mikhail Kshevetskiy
2026-02-23 19:32 ` Mikhail Kshevetskiy
2026-02-24 0:12 ` Daniel Golle
2026-02-24 0:40 ` Mikhail Kshevetskiy
2026-02-24 1:06 ` Daniel Golle
2026-02-23 20:06 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 09/20] boot: fit: support on-demand loading in fit_image_load() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:47 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-24 12:41 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 10/20] cmd: bootm: accept storage device as image source Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 11/20] test: boot: add image_loader unit tests Daniel Golle
2026-02-17 19:05 ` Tom Rini
2026-02-19 13:10 ` Simon Glass
2026-02-19 14:04 ` Tom Rini
2026-02-19 14:34 ` Simon Glass
2026-02-19 15:41 ` Tom Rini
2026-02-16 21:23 ` [RFC PATCH 12/20] doc: bootm: document direct storage boot Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 13/20] boot: bootmeth: add OpenWrt boot method skeleton Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 14:00 ` Tom Rini
2026-02-19 14:31 ` Simon Glass
2026-02-19 15:31 ` Tom Rini
2026-02-19 16:52 ` Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 14/20] boot: bootmeth: openwrt: implement read_bootflow for block devices Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 15/20] boot: bootmeth: openwrt: implement boot via bootm storage path Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 16/20] boot: bootdev: add MTD boot device Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 17/20] boot: bootdev: add UBI " Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:56 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 18/20] boot: bootmeth: openwrt: support MTD and UBI bootdevs Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 19/20] boot: bootmeth: openwrt: add openwrt_boot_script hook for bootconf Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 20/20] boot: bootmeth: openwrt: add slot configuration from environment Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 22:16 ` [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Marek Vasut
2026-02-17 1:18 ` Daniel Golle
2026-02-17 2:04 ` Marek Vasut
2026-02-17 13:02 ` Daniel Golle
2026-02-17 19:15 ` Tom Rini
2026-02-17 13:32 ` Simon Glass
2026-02-17 15:08 ` Tom Rini
2026-02-17 17:46 ` Tom Rini
2026-02-23 19:32 ` Tom Rini
2026-02-24 11:57 ` Daniel Golle
2026-02-24 17:24 ` Tom Rini
2026-02-25 14:34 ` Daniel Golle
2026-02-25 22:16 ` Tom Rini
2026-02-25 23:49 ` Daniel Golle
2026-02-26 18:45 ` Tom Rini
2026-02-26 23:44 ` Simon Glass
2026-02-17 18:13 ` Tom Rini
2026-02-17 19:28 ` Daniel Golle
2026-02-17 19:35 ` Tom Rini
2026-02-17 21:07 ` Daniel Golle
2026-02-17 21:18 ` Tom Rini
[not found] ` <aZTqyRfqYe1iJ9EY@makrotopia.org>
2026-02-18 15:58 ` Tom Rini
2026-02-18 17:25 ` Daniel Golle
2026-02-18 20:33 ` Tom Rini
2026-02-24 0:37 ` Daniel Golle [this message]
2026-02-24 14:24 ` Tom Rini
2026-02-24 14:36 ` Daniel Golle
2026-02-18 23:08 ` Daniel Golle
2026-02-19 15:29 ` Tom Rini
2026-02-17 19:20 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZzyv1sUrnm2PKBc@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=Zone.Niuzh@hotmail.com \
--cc=alexander.stein@ew.tq-group.com \
--cc=andrew.goodbody@linaro.org \
--cc=anshuld@ti.com \
--cc=dlechner@baylibre.com \
--cc=frank-w@public-files.de \
--cc=ilias.apalodimas@linaro.org \
--cc=jj251510319013@gmail.com \
--cc=john@phrozen.org \
--cc=kory.maincent@bootlin.com \
--cc=m.schwan@phytec.de \
--cc=mail@aparcar.org \
--cc=marek.vasut+renesas@mailbox.org \
--cc=marek.vasut@mailbox.org \
--cc=mchitale@ventanamicro.com \
--cc=michael@amarulasolutions.com \
--cc=mike.looijmans@topic.nl \
--cc=mikhail.kshevetskiy@iopsys.eu \
--cc=miquel.raynal@bootlin.com \
--cc=mkorpershoek@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=osama.abdelkader@gmail.com \
--cc=paul.henrys_ext@softathome.com \
--cc=quentin.schulz@cherry.de \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@arm.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=weijie.gao@mediatek.com \
--cc=wolfgang.wallner@at.abb.com \
--cc=xypron.glpk@gmx.de \
--cc=yegorslists@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.