From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
Daniel Golle <daniel@makrotopia.org>,
Ludwig Nussel <ludwig.nussel@siemens.com>,
Anton Ivanov <anton@binarly.io>,
Marek Vasut <marek.vasut@mailbox.org>,
Neil Armstrong <neil.armstrong@linaro.org>,
Quentin Schulz <quentin.schulz@cherry.de>,
Jonas Karlman <jonas@kwiboo.se>, Randolph Sapp <rs@ti.com>,
Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
Francois Berder <fberder@outlook.fr>,
u-boot@lists.denx.de
Subject: [PATCH v2 0/3] boot: fit: authenticate the dm-verity roothash
Date: Tue, 14 Jul 2026 03:33:23 +0100 [thread overview]
Message-ID: <cover.1783995924.git.daniel@makrotopia.org> (raw)
A signed FIT configuration can delegate the integrity of a (potentially
large) root filesystem image to the kernel's dm-verity instead of having
U-Boot hash the whole payload at boot: the FIT carries a "dm-verity"
subnode with the roothash, salt and block parameters, U-Boot passes the
roothash to Linux through the dm-mod.create bootargs, and dm-verity then
validates the filesystem block by block against it.
For that to be safe the roothash has to be trusted, and in a signed
configuration the only thing that establishes trust is the configuration
signature. The roothash was not covered by it. fit_config_add_hash()
collected the image node, its hash subnodes and its cipher subnode into
the signed region, but not the dm-verity subnode, so the roothash, the
sole integrity anchor for the filesystem, was left unsigned.
The result is a verified-boot bypass for the root filesystem: an
attacker who can rewrite the boot medium can replace the filesystem,
recompute a matching dm-verity tree, write the new roothash into the
unsigned dm-verity subnode, and the configuration signature still
verifies. dm-verity then faithfully validates the malicious filesystem
against the attacker's roothash.
This series closes the gap.
v2: address comments by Tom Rini
* drop the VISIBLE_IF_UT visibility macro; fit_config_get_signed_nodes()
is now simply non-static (previously the function would end up being
inlined, so there *is* a real cost to this)
* document test_fit_verity_sign.py with pydoc docstrings including an
ITS example, and add a page under doc/develop/pytest/ so the module
is rendered in the generated documentation
* collect Reviewed-by tags on patches 1 and 2
Daniel Golle (3):
boot: fit: factor out node-path collection in fit_config_add_hash()
boot: fit: cover the dm-verity roothash with the config signature
test: fit: verify dm-verity roothash is covered by the config
signature
boot/image-fit-sig.c | 108 +++++++----
doc/develop/pytest/test_fit_verity_sign.rst | 10 +
include/image.h | 23 +++
test/boot/fit_verity.c | 194 +++++++++++++++++++
test/py/tests/test_fit_verity_sign.py | 202 ++++++++++++++++++++
tools/image-host.c | 22 +++
6 files changed, 520 insertions(+), 39 deletions(-)
create mode 100644 doc/develop/pytest/test_fit_verity_sign.rst
create mode 100644 test/py/tests/test_fit_verity_sign.py
base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
--
2.55.0
next reply other threads:[~2026-07-14 2:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 2:33 Daniel Golle [this message]
2026-07-14 2:33 ` [PATCH v2 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-14 2:33 ` [PATCH v2 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-14 2:35 ` [PATCH v2 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1783995924.git.daniel@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=anton@binarly.io \
--cc=fberder@outlook.fr \
--cc=jonas@kwiboo.se \
--cc=ludwig.nussel@siemens.com \
--cc=marek.vasut@mailbox.org \
--cc=neil.armstrong@linaro.org \
--cc=quentin.schulz@cherry.de \
--cc=rs@ti.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=wolfgang.wallner@at.abb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.