From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
Mario Six <mario.six@gdsys.cc>,
Quentin Schulz <quentin.schulz@cherry.de>,
Kory Maincent <kory.maincent@bootlin.com>,
Mattijs Korpershoek <mkorpershoek@kernel.org>,
Peng Fan <peng.fan@nxp.com>, Martin Schwan <m.schwan@phytec.de>,
Daniel Golle <daniel@makrotopia.org>,
Anshul Dalal <anshuld@ti.com>,
Sughosh Ganu <sughosh.ganu@arm.com>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Ludwig Nussel <ludwig.nussel@siemens.com>,
Benjamin ROBIN <dev@benjarobin.fr>,
Marek Vasut <marek.vasut+renesas@mailbox.org>,
James Hilliard <james.hilliard1@gmail.com>,
Julien Stephan <jstephan@baylibre.com>,
David Lechner <dlechner@baylibre.com>,
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>,
Neil Armstrong <neil.armstrong@linaro.org>,
Svyatoslav Ryhel <clamor95@gmail.com>,
Michal Simek <michal.simek@amd.com>,
Pieter Van Trappen <pieter.van.trappen@cern.ch>,
Dinesh Maniyam <dinesh.maniyam@altera.com>,
Sam Protsenko <semen.protsenko@linaro.org>,
Mayuresh Chitale <mchitale@ventanamicro.com>,
Shiji Yang <yangshiji66@outlook.com>,
Jonas Karlman <jonas@kwiboo.se>,
Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
Aristo Chen <jj251510319013@gmail.com>,
Rasmus Villemoes <ravi@prevas.dk>,
Francois Berder <fberder@outlook.fr>,
u-boot@lists.denx.de
Subject: [PATCH v5 0/8] fit: dm-verity support
Date: Sat, 16 May 2026 00:37:31 +0100 [thread overview]
Message-ID: <cover.1778887196.git.daniel@makrotopia.org> (raw)
This series adds dm-verity support to U-Boot's FIT image infrastructure.
It is the first logical subset of the larger OpenWrt boot method series
posted as an RFC in February 2026 [1], extracted here for independent
review and merging.
OpenWrt's firmware model embeds a read-only squashfs or erofs root
filesystem directly inside a uImage.FIT container as a FILESYSTEM-type
loadable FIT image. At boot the kernel maps this sub-image directly from
the underlying block device via the fitblk driver (/dev/fit0, /dev/fit1,
...), the goal is that the bootloader never even copies it to RAM.
dm-verity enables the kernel to verify the integrity of those mapped
filesystems at read time, with a Merkle hash tree stored contiguously in
the same sub-image just after the data. Two kernel command-line
parameters are required:
dm-mod.create= -- the device-mapper target table for the verity device
dm-mod.waitfor= -- a comma-separated list of block devices to wait for
before dm-init sets up the targets (needed when fitblk
probes late, e.g. because it depends on NVMEM
calibration data)
The FIT dm-verity node schema was upstreamed into the flat-image-tree
specification [2], which this implementation tries to follow exactly.
The runtime feature is guarded behind CONFIG_FIT_VERITY. If not
enabled the resulting binary size remains unchanged. If enabled the
binary size increases by about 3kB.
[1] previous submissions:
RFC: https://www.mail-archive.com/u-boot@lists.denx.de/msg565945.html
v1: https://www.mail-archive.com/u-boot@lists.denx.de/msg569472.html
v2: https://www.mail-archive.com/u-boot@lists.denx.de/msg570599.html
v3: https://www.mail-archive.com/u-boot@lists.denx.de/msg573223.html
v4: https://www.mail-archive.com/u-boot@lists.denx.de/msg574000.html
[2] flat-image-tree dm-verity node spec:
https://github.com/open-source-firmware/flat-image-tree/commit/795fd5fd7f0121d0cb03efb1900aafc61c704771
v5: address comments by Heinrich Schuchardt and Simon Glass
* mkimage: drop unused image_noffset parameter from
fit_image_process_verity()
* mkimage: replace popen() and the valid_algos[] allowlist with
fork()/execvp(), eliminating shell-injection risk and allowlist
drift
* mkimage: drop the verity-data-file FDT property; cache the
expanded buffer (original data + Merkle hash tree) in memory keyed
by image name, unlink the temporary file immediately after read-
back, and expose fit_verity_get_expanded() so fit_extract_data()
consumes the buffer directly -- removes the tmpfile-leak surface
along the way
* mkimage: use unsigned int for data-block-size / hash-block-size
on the host side too (consistency with v3 runtime change)
* doc: document that the fitblk driver requires each filesystem
sub-image to be aligned to the underlying block-device block size,
and that 'mkimage -B <align>' (typically -B 0x1000) achieves this;
clarify that this is independent of the dm-verity data-block-size
/ hash-block-size properties
v4: address comments by Simon Glass
* pytest: verify the computed digest with veritysetup verify against
the external data section
* pytest: parametrize test_mkimage_verity with matched and mismatched
block sizes to exercise hash-start-block != num-data-blocks
* pytest: use run_and_log_expect_exception() with the expected
diagnostic for the no-external-data case
v3: address comments by Heinrich Schuchardt and Simon Glass
* use unsigned int instead of int for data-block-size and hash-block-size
* replace printf() with log_err() for the "broken dm-verity metadata"
diagnostic
* use FIT_VERITY_*_PROP, FIT_TYPE_PROP and FIT_LOADABLE_PROP constants
in the unit test instead of literal strings
* extend the mkimage block-count overflow check to also cover
hash_start_block (matters when hash-block-size < data-block-size)
* doc: clarify that hash-start-block only equals num-data-blocks when
data-block-size == hash-block-size
* pytest: drop unused 'struct' import and the home-rolled
have_veritysetup() helper in favour of
@pytest.mark.requiredtool('veritysetup')
v2: address comments by Simon Glass
* use is_power_of_2() for pre-boot sanity check
* let fit_verity_build_cmdline() return 0 on success
* add comment explaining why bootm_start() calls fit_verity_free()
* use existing hex2bin() (and adapt it to be usable for host-tools)
* fix stale comment still including superblock despite veritysetup
being called with --no-superblock
* add power-of-two check for data-block-size and hash-block-size to
mkimage
* don't ignore return value of fdt_delprop()
* various documentation fixes, minimal example
* add pytest for mkimage part
* add run-time unit test for cmdline generation part
Daniel Golle (8):
image: fit: add dm-verity property name constants
boot: fit: support generating DM verity cmdline parameters
include: hexdump: make hex2bin() usable from host tools
tools: mkimage: add dm-verity Merkle-tree generation
doc: fit: add dm-verity boot parameter documentation
test: boot: add runtime unit test for fit_verity_build_cmdline()
test: py: add mkimage dm-verity round-trip test
configs: sandbox: enable CONFIG_FIT_VERITY
boot/Kconfig | 20 ++
boot/bootm.c | 13 +
boot/image-board.c | 5 +
boot/image-fit.c | 337 +++++++++++++++++++++++
configs/sandbox64_defconfig | 1 +
configs/sandbox_defconfig | 1 +
configs/sandbox_flattree_defconfig | 1 +
doc/usage/fit/dm-verity.rst | 304 +++++++++++++++++++++
doc/usage/fit/index.rst | 1 +
include/hexdump.h | 8 +-
include/image.h | 115 +++++++-
test/boot/Makefile | 1 +
test/boot/fit_verity.c | 306 +++++++++++++++++++++
test/cmd_ut.c | 2 +
test/py/tests/test_fit_verity.py | 175 ++++++++++++
tools/fit_image.c | 91 ++++++-
tools/image-host.c | 414 ++++++++++++++++++++++++++++-
17 files changed, 1783 insertions(+), 12 deletions(-)
create mode 100644 doc/usage/fit/dm-verity.rst
create mode 100644 test/boot/fit_verity.c
create mode 100644 test/py/tests/test_fit_verity.py
--
2.54.0
next reply other threads:[~2026-05-16 1:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 23:37 Daniel Golle [this message]
2026-05-15 23:37 ` [PATCH v5 1/8] image: fit: add dm-verity property name constants Daniel Golle
2026-05-15 23:37 ` [PATCH v5 2/8] boot: fit: support generating DM verity cmdline parameters Daniel Golle
2026-05-15 23:37 ` [PATCH v5 3/8] include: hexdump: make hex2bin() usable from host tools Daniel Golle
2026-05-15 23:38 ` [PATCH v5 4/8] tools: mkimage: add dm-verity Merkle-tree generation Daniel Golle
2026-05-15 23:38 ` [PATCH v5 5/8] doc: fit: add dm-verity boot parameter documentation Daniel Golle
2026-05-15 23:38 ` [PATCH v5 6/8] test: boot: add runtime unit test for fit_verity_build_cmdline() Daniel Golle
2026-05-15 23:38 ` [PATCH v5 7/8] test: py: add mkimage dm-verity round-trip test Daniel Golle
2026-05-15 23:38 ` [PATCH v5 8/8] configs: sandbox: enable CONFIG_FIT_VERITY Daniel Golle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1778887196.git.daniel@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=anshuld@ti.com \
--cc=clamor95@gmail.com \
--cc=dev@benjarobin.fr \
--cc=dinesh.maniyam@altera.com \
--cc=dlechner@baylibre.com \
--cc=fberder@outlook.fr \
--cc=hayashi.kunihiko@socionext.com \
--cc=ilias.apalodimas@linaro.org \
--cc=james.hilliard1@gmail.com \
--cc=jj251510319013@gmail.com \
--cc=jonas@kwiboo.se \
--cc=jstephan@baylibre.com \
--cc=kory.maincent@bootlin.com \
--cc=ludwig.nussel@siemens.com \
--cc=m.schwan@phytec.de \
--cc=marek.vasut+renesas@mailbox.org \
--cc=mario.six@gdsys.cc \
--cc=mchitale@ventanamicro.com \
--cc=michal.simek@amd.com \
--cc=mkorpershoek@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=peng.fan@nxp.com \
--cc=pieter.van.trappen@cern.ch \
--cc=quentin.schulz@cherry.de \
--cc=ravi@prevas.dk \
--cc=semen.protsenko@linaro.org \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@arm.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=wolfgang.wallner@at.abb.com \
--cc=yangshiji66@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.