All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
	Daniel Golle <daniel@makrotopia.org>,
	Ludwig Nussel <ludwig.nussel@siemens.com>,
	Anton Ivanov <anton@binarly.io>,
	Neil Armstrong <neil.armstrong@linaro.org>,
	Marek Vasut <marek.vasut@mailbox.org>,
	Quentin Schulz <quentin.schulz@cherry.de>,
	Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
	Randolph Sapp <rs@ti.com>, Francois Berder <fberder@outlook.fr>,
	u-boot@lists.denx.de
Subject: [PATCH 0/3] boot: fit: authenticate the dm-verity roothash
Date: Sun, 12 Jul 2026 01:33:05 +0100	[thread overview]
Message-ID: <cover.1783816074.git.daniel@makrotopia.org> (raw)

A signed FIT configuration can delegate the integrity of a (potentially
large) root filesystem image to the kernel's dm-verity instead of having
U-Boot hash the whole payload at boot: the FIT carries a "dm-verity"
subnode with the roothash, salt and block parameters, U-Boot passes the
roothash to Linux through the dm-mod.create bootargs, and dm-verity then
validates the filesystem block by block against it.

For that to be safe the roothash has to be trusted, and in a signed
configuration the only thing that establishes trust is the configuration
signature. The roothash was not covered by it. fit_config_add_hash()
collected the image node, its hash subnodes and its cipher subnode into
the signed region, but not the dm-verity subnode, so the roothash, the
sole integrity anchor for the filesystem, was left unsigned.

The result is a verified-boot bypass for the root filesystem: an
attacker who can rewrite the boot medium can replace the filesystem,
recompute a matching dm-verity tree, write the new roothash into the
unsigned dm-verity subnode, and the configuration signature still
verifies. dm-verity then faithfully validates the malicious filesystem
against the attacker's roothash.

This series closes the gap.

Daniel Golle (3):
  boot: fit: factor out node-path collection in fit_config_add_hash()
  boot: fit: cover the dm-verity roothash with the config signature
  test: fit: verify dm-verity roothash is covered by the config
    signature

 boot/image-fit-sig.c                  | 119 ++++++++++------
 include/image.h                       |  25 ++++
 test/boot/fit_verity.c                | 194 ++++++++++++++++++++++++++
 test/py/tests/test_fit_verity_sign.py | 162 +++++++++++++++++++++
 tools/image-host.c                    |  22 +++
 5 files changed, 483 insertions(+), 39 deletions(-)
 create mode 100644 test/py/tests/test_fit_verity_sign.py


base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
-- 
2.55.0

             reply	other threads:[~2026-07-12  0:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-12  0:33 Daniel Golle [this message]
2026-07-12  0:33 ` [PATCH 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17   ` Simon Glass
2026-07-12  0:33 ` [PATCH 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
2026-07-13 22:08   ` Tom Rini
2026-07-14 12:17     ` Simon Glass
2026-07-14 16:46       ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1783816074.git.daniel@makrotopia.org \
    --to=daniel@makrotopia.org \
    --cc=anton@binarly.io \
    --cc=fberder@outlook.fr \
    --cc=ludwig.nussel@siemens.com \
    --cc=marek.vasut@mailbox.org \
    --cc=neil.armstrong@linaro.org \
    --cc=quentin.schulz@cherry.de \
    --cc=rs@ti.com \
    --cc=sjg@chromium.org \
    --cc=trini@konsulko.com \
    --cc=u-boot@lists.denx.de \
    --cc=wolfgang.wallner@at.abb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.