From: Yan WANG <yan.wang@softathome.com>
To: trini@konsulko.com, sjg@chromium.org, alpernebiyasak@gmail.com
Cc: paul.henrys_ext@softathome.com, u-boot@lists.denx.de,
Yan WANG <yan.wang@softathome.com>
Subject: [PATCH v6 0/3] binman: Fix preload signing with encrypted FIT
Date: Tue, 14 Apr 2026 15:15:55 +0200 [thread overview]
Message-ID: <20260414131558.538656-1-yan.wang@softathome.com> (raw)
In-Reply-To: <20260408150201.217942-3-paul.henrys_ext@softathome.com>
This series improves the reliability and efficiency of binman preload
header generation and test it against an encrypted FIT image signed with
a preload header.
When a preload header references other entries (e.g. an encrypted FIT)
through the collection etype, the referenced entries may be rebuilt
multiple times during binman processing. This becomes problematic when
the referenced entry produces non-deterministic output, such as FIT
encryption using random IVs or timestamps, since rebuilding the entry
changes the data.
This series ensures that referenced entries are built only once and that
preload signing is performed after all data is collected. It also avoids
unnecessary repacking or repeated signing operations by the preload.
The changes include:
* generate preload header placeholders in ObtainContents() and sign
data only once in ProcessContentsUpdate()
* mark referenced entries as build_done in the collection etype to
avoid rebuilding data
* add a functional test for signing an encrypted FIT with a preload
header
Changes in v6:
- set build_done only when required=True, so it happens during
ProcessContents() rather than ObtainContents()
Paul HENRYS (2):
binman: Generate preload header and sign data only once
tools: binman: Test signing an encrypted FIT with a preload header
yan wang (1):
binman: collection: Set build_done on referenced entries
tools/binman/etype/collection.py | 9 ++-
tools/binman/etype/pre_load.py | 9 +--
tools/binman/etype/section.py | 5 +-
tools/binman/ftest.py | 21 +++++++
.../test/security/pre_load_fit_encrypted.dts | 63 +++++++++++++++++++
5 files changed, 97 insertions(+), 10 deletions(-)
create mode 100644 tools/binman/test/security/pre_load_fit_encrypted.dts
--
2.25.1
next prev parent reply other threads:[~2026-04-14 13:16 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 19:24 [PATCH v2 1/3] tools: binman: Test signing an encrypted FIT with a preload header yan wang
2026-04-02 19:24 ` [PATCH v2 2/3] binman: Generate preload header and sign data only once yan wang
2026-04-03 1:02 ` Simon Glass
2026-04-02 19:24 ` [PATCH v2 3/3] binman: collection: Set build_done on referenced entries yan wang
2026-04-03 1:02 ` Simon Glass
2026-04-02 19:35 ` [PATCH v2 1/3] tools: binman: Test signing an encrypted FIT with a preload header Tom Rini
2026-04-03 7:32 ` [PATCH v3 " Paul HENRYS
2026-04-03 7:32 ` [PATCH v3 2/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-03 7:32 ` [PATCH v3 3/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-03 7:41 ` [PATCH v3 1/3] tools: binman: Test signing an encrypted FIT with a preload header Paul HENRYS
2026-04-03 14:53 ` Tom Rini
2026-04-03 7:55 ` [PATCH v4 " Paul HENRYS
2026-04-03 7:55 ` [PATCH v4 2/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-03 13:21 ` Simon Glass
2026-04-03 7:55 ` [PATCH v4 3/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-03 13:22 ` Simon Glass
2026-04-08 15:01 ` [PATCH v5 0/3] binman: Fix preload signing with encrypted FIT Paul HENRYS
2026-04-08 15:01 ` [PATCH v5 1/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-11 17:19 ` Simon Glass
2026-04-08 15:02 ` [PATCH v5 2/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-11 17:18 ` Simon Glass
2026-04-14 13:15 ` Yan WANG [this message]
2026-04-14 13:15 ` [PATCH v6 1/3] binman: Generate preload header and sign data only once Yan WANG
2026-04-16 17:37 ` Simon Glass
2026-04-14 13:15 ` [PATCH v6 2/3] binman: collection: Set build_done on referenced entries Yan WANG
2026-04-16 17:36 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 0/3] binman: Fix preload signing with encrypted FIT Yan WANG
2026-04-17 8:30 ` [PATCH v7 1/3] binman: Generate preload header and sign data only once Yan WANG
2026-04-18 18:14 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 2/3] binman: collection: Set build_done on referenced entries Yan WANG
2026-04-18 18:15 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 3/3] tools: binman: Test signing an encrypted FIT with a preload header Yan WANG
2026-04-18 18:15 ` Simon Glass
2026-04-14 13:15 ` [PATCH v6 " Yan WANG
2026-04-16 17:37 ` Simon Glass
2026-04-08 15:02 ` [PATCH v5 " Paul HENRYS
2026-04-11 17:19 ` Simon Glass
2026-04-03 13:22 ` [PATCH v4 1/3] " Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414131558.538656-1-yan.wang@softathome.com \
--to=yan.wang@softathome.com \
--cc=alpernebiyasak@gmail.com \
--cc=paul.henrys_ext@softathome.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox