From: Sascha Hauer <s.hauer@pengutronix.de>
To: Tom Rini <trini@konsulko.com>
Cc: u-boot@lists.denx.de
Subject: Re: [PATCH] FIT: Address Secure Boot Bypass for Signed FIT Images
Date: Wed, 4 Mar 2026 08:31:46 +0100 [thread overview]
Message-ID: <aaff4oDKlkINa8H7@pengutronix.de> (raw)
In-Reply-To: <20260302220937.3682128-1-trini@konsulko.com>
Hi Tom,
On Mon, Mar 02, 2026 at 04:09:37PM -0600, Tom Rini wrote:
> There is a flaw in how U-Boot verifies and generates signatures for FIT
> images. To prevent mix and match style attacks, it is recommended to
> use signed configurations. How this is supposed to work is documented in
> doc/usage/fit/signature.rst.
>
> Crucially, the `hashed-nodes` property of the `signature` node contains
> which nodes of the FIT device tree were hashed as part of the signature
> and should be verified. However, this property itself is not part of the
> hash and can therefore be modified by an attacker. Furthermore, the
> signature only contains the name of each node and not the path in the
> device tree to the node.
>
> This patch reworks the code to address this specific oversight.
As this breaks compatibility between old U-Boot and new FIT images and
the other way round it would be good to introduce a version field to FIT
images. With that at least newer U-Boot versions could print a more
meaningful error message than just "image verification failed" which
gives no clue what had actually happened.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2026-03-04 7:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 22:09 [PATCH] FIT: Address Secure Boot Bypass for Signed FIT Images Tom Rini
2026-03-03 8:08 ` Ahmad Fatoum
2026-03-03 13:32 ` Simon Glass
2026-03-03 15:54 ` Tom Rini
2026-03-03 15:53 ` Tom Rini
2026-03-04 9:22 ` Nussel, Ludwig
2026-03-04 12:04 ` Simon Glass
2026-03-05 18:25 ` Quentin Schulz
2026-03-04 7:31 ` Sascha Hauer [this message]
2026-03-04 14:47 ` Tom Rini
2026-03-04 16:33 ` Quentin Schulz
2026-03-05 8:32 ` Sascha Hauer
2026-03-05 14:48 ` Rasmus Villemoes
2026-03-05 18:07 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaff4oDKlkINa8H7@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.