From: Yan WANG <yan.wang@softathome.com>
To: trini@konsulko.com, sjg@chromium.org, alpernebiyasak@gmail.com
Cc: paul.henrys_ext@softathome.com, u-boot@lists.denx.de
Subject: [PATCH v6 3/3] tools: binman: Test signing an encrypted FIT with a preload header
Date: Tue, 14 Apr 2026 15:15:58 +0200 [thread overview]
Message-ID: <20260414131558.538656-4-yan.wang@softathome.com> (raw)
In-Reply-To: <20260414131558.538656-1-yan.wang@softathome.com>
From: Paul HENRYS <paul.henrys_ext@softathome.com>
Add a test to verify the preload header correctly signs an encrypted
FIT. This test exercises the case where encryption uses random IVs that
would change between mkimage calls.
Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
---
Changes in v6:
- No changes
tools/binman/ftest.py | 21 +++++++
.../test/security/pre_load_fit_encrypted.dts | 63 +++++++++++++++++++
2 files changed, 84 insertions(+)
create mode 100644 tools/binman/test/security/pre_load_fit_encrypted.dts
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index ca5149ee654..da8325f820a 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -5895,6 +5895,27 @@ fdt fdtmap Extract the devicetree blob from the fdtmap
data = self._DoReadFileDtb('security/pre_load_invalid_key.dts',
entry_args=entry_args)
+ def testPreLoadEncryptedFit(self):
+ """Test an encrypted FIT image with a pre-load header"""
+ entry_args = {
+ 'pre-load-key-path': os.path.join(self._binman_dir, 'test'),
+ }
+ data = tools.read_file(self.TestFile("fit/aes256.bin"))
+ self._MakeInputFile("keys/aes256.bin", data)
+
+ keys_subdir = os.path.join(self._indir, "keys")
+ data = self._DoReadFileDtb(
+ 'security/pre_load_fit_encrypted.dts', entry_args=entry_args,
+ extra_indirs=[keys_subdir])[0]
+
+ image_fname = tools.get_output_filename('image.bin')
+ is_signed = self._CheckPreload(image_fname, self.TestFile("dev.key"))
+
+ self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)])
+ self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)])
+ self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)])
+ self.assertEqual(is_signed, True)
+
def _CheckSafeUniqueNames(self, *images):
"""Check all entries of given images for unsafe unique names"""
for image in images:
diff --git a/tools/binman/test/security/pre_load_fit_encrypted.dts b/tools/binman/test/security/pre_load_fit_encrypted.dts
new file mode 100644
index 00000000000..f5e9bf9426c
--- /dev/null
+++ b/tools/binman/test/security/pre_load_fit_encrypted.dts
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+ binman {
+ pre-load {
+ content = <&image>;
+ algo-name = "sha256,rsa2048";
+ key-name = "dev.key";
+ header-size = <4096>;
+ version = <0x11223344>;
+ };
+
+ image: fit {
+ fit,encrypt;
+ description = "Test a FIT with encrypted data and signed with a preload";
+ #address-cells = <1>;
+
+ images {
+ u-boot {
+ description = "U-Boot";
+ type = "firmware";
+ arch = "arm64";
+ os = "U-Boot";
+ compression = "none";
+ load = <00000000>;
+ entry = <00000000>;
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-nodtb {
+ };
+ };
+ fdt-1 {
+ description = "Flattened Device Tree blob";
+ type = "flat_dt";
+ arch = "arm64";
+ compression = "none";
+ cipher {
+ algo = "aes256";
+ key-name-hint = "aes256";
+ };
+ u-boot-dtb {
+ };
+ };
+ };
+
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ description = "Boot U-Boot with FDT blob";
+ firmware = "u-boot";
+ fdt = "fdt-1";
+ };
+ };
+ };
+ };
+};
--
2.25.1
next prev parent reply other threads:[~2026-04-14 13:16 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 19:24 [PATCH v2 1/3] tools: binman: Test signing an encrypted FIT with a preload header yan wang
2026-04-02 19:24 ` [PATCH v2 2/3] binman: Generate preload header and sign data only once yan wang
2026-04-03 1:02 ` Simon Glass
2026-04-02 19:24 ` [PATCH v2 3/3] binman: collection: Set build_done on referenced entries yan wang
2026-04-03 1:02 ` Simon Glass
2026-04-02 19:35 ` [PATCH v2 1/3] tools: binman: Test signing an encrypted FIT with a preload header Tom Rini
2026-04-03 7:32 ` [PATCH v3 " Paul HENRYS
2026-04-03 7:32 ` [PATCH v3 2/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-03 7:32 ` [PATCH v3 3/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-03 7:41 ` [PATCH v3 1/3] tools: binman: Test signing an encrypted FIT with a preload header Paul HENRYS
2026-04-03 14:53 ` Tom Rini
2026-04-03 7:55 ` [PATCH v4 " Paul HENRYS
2026-04-03 7:55 ` [PATCH v4 2/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-03 13:21 ` Simon Glass
2026-04-03 7:55 ` [PATCH v4 3/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-03 13:22 ` Simon Glass
2026-04-08 15:01 ` [PATCH v5 0/3] binman: Fix preload signing with encrypted FIT Paul HENRYS
2026-04-08 15:01 ` [PATCH v5 1/3] binman: Generate preload header and sign data only once Paul HENRYS
2026-04-11 17:19 ` Simon Glass
2026-04-08 15:02 ` [PATCH v5 2/3] binman: collection: Set build_done on referenced entries Paul HENRYS
2026-04-11 17:18 ` Simon Glass
2026-04-14 13:15 ` [PATCH v6 0/3] binman: Fix preload signing with encrypted FIT Yan WANG
2026-04-14 13:15 ` [PATCH v6 1/3] binman: Generate preload header and sign data only once Yan WANG
2026-04-16 17:37 ` Simon Glass
2026-04-14 13:15 ` [PATCH v6 2/3] binman: collection: Set build_done on referenced entries Yan WANG
2026-04-16 17:36 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 0/3] binman: Fix preload signing with encrypted FIT Yan WANG
2026-04-17 8:30 ` [PATCH v7 1/3] binman: Generate preload header and sign data only once Yan WANG
2026-04-18 18:14 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 2/3] binman: collection: Set build_done on referenced entries Yan WANG
2026-04-18 18:15 ` Simon Glass
2026-04-17 8:30 ` [PATCH v7 3/3] tools: binman: Test signing an encrypted FIT with a preload header Yan WANG
2026-04-18 18:15 ` Simon Glass
2026-04-14 13:15 ` Yan WANG [this message]
2026-04-16 17:37 ` [PATCH v6 " Simon Glass
2026-04-08 15:02 ` [PATCH v5 " Paul HENRYS
2026-04-11 17:19 ` Simon Glass
2026-04-03 13:22 ` [PATCH v4 1/3] " Simon Glass
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414131558.538656-4-yan.wang@softathome.com \
--to=yan.wang@softathome.com \
--cc=alpernebiyasak@gmail.com \
--cc=paul.henrys_ext@softathome.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox