From: Tom Rini <trini@konsulko.com>
To: Simon Glass <sjg@chromium.org>
Cc: Daniel Golle <daniel@makrotopia.org>,
Ludwig Nussel <ludwig.nussel@siemens.com>,
Anton Ivanov <anton@binarly.io>,
Neil Armstrong <neil.armstrong@linaro.org>,
Marek Vasut <marek.vasut@mailbox.org>,
Quentin Schulz <quentin.schulz@cherry.de>,
Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
Randolph Sapp <rs@ti.com>, Francois Berder <fberder@outlook.fr>,
u-boot@lists.denx.de
Subject: Re: [PATCH 3/3] test: fit: verify dm-verity roothash is covered by the config signature
Date: Tue, 14 Jul 2026 10:46:47 -0600 [thread overview]
Message-ID: <20260714164647.GA749385@bill-the-cat> (raw)
In-Reply-To: <CAFLszTjfcmPuUnmVg60pVzsnzSm0kPn3zLL7GMkCTpUyHCQUZw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2554 bytes --]
On Tue, Jul 14, 2026 at 06:17:11AM -0600, Simon Glass wrote:
> Hi Daniel,
>
> On 2026-07-12T00:33:05, Daniel Golle <daniel@makrotopia.org> wrote:
> > test: fit: verify dm-verity roothash is covered by the config signature
> >
> > A dm-verity protected filesystem image is not hashed by U-Boot; its
> > integrity is delegated to the kernel, which trusts the roothash taken
> > from the FIT dm-verity subnode. For that chain of trust to hold, the
> > roothash (and salt) must be part of the region covered by the
> > configuration signature, otherwise an attacker can replace both the
> > filesystem and the roothash while keeping the signature valid.
> >
> > Add two independent checks of this property:
> >
> > - test/py/tests/test_fit_verity_sign.py signs a configuration that
> > references a filesystem image carrying a dm-verity subnode, then
> > confirms that tampering the roothash or the salt is rejected by
> > fit_check_sign. A control that tampers a byte known to be signed
> > proves the check can fail.
> >
> > - test/boot/fit_verity.c gains a runtime unit test that builds the
> > exact node list the configuration signature is computed over,
> > turns it into hashed regions and checks both that the roothash
> > [...]
> >
> > boot/image-fit-sig.c | 25 +++--
> > include/image.h | 25 +++++
> > test/boot/fit_verity.c | 194 ++++++++++++++++++++++++++++++++++
> > test/py/tests/test_fit_verity_sign.py | 162 ++++++++++++++++++++++++++++
> > 4 files changed, 399 insertions(+), 7 deletions(-)
>
> Somehow I didn't get this email, but I'll try to reply here.
>
> > diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
> > @@ -340,8 +340,19 @@ static int fit_config_add_hash(const void *fit, int image_noffset,
> > +#if CONFIG_IS_ENABLED(UNIT_TEST)
> > +#define VISIBLE_IF_UT
> > +#else
> > +#define VISIBLE_IF_UT static
> > +#endif
>
> Tom commented on this, but I'll just add this. Linux has
> VISIBLE_IF_KUNIT but in U-Boot so far we just stop the static when the
> function is needed elsewhere. LTO can be used to avoid the code-size
> increase, for platforms that want it.
As part of why this should be its own discussion, a quick look at
VISIBLE_IF_KUNIT in the kernel leads me to think it's not quite the same
set of needs, or if so there's a lot more architectural enforcement
around what is/isn't exposed just for testing, which we lack today.
Talking about LTO isn't relevant here.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
prev parent reply other threads:[~2026-07-14 16:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-12 0:33 [PATCH 0/3] boot: fit: authenticate the dm-verity roothash Daniel Golle
2026-07-12 0:33 ` [PATCH 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-12 0:33 ` [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-12 0:33 ` [PATCH 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-14 16:46 ` Tom Rini [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714164647.GA749385@bill-the-cat \
--to=trini@konsulko.com \
--cc=anton@binarly.io \
--cc=daniel@makrotopia.org \
--cc=fberder@outlook.fr \
--cc=ludwig.nussel@siemens.com \
--cc=marek.vasut@mailbox.org \
--cc=neil.armstrong@linaro.org \
--cc=quentin.schulz@cherry.de \
--cc=rs@ti.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=wolfgang.wallner@at.abb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox