From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>
Cc: "Simon Glass" <sjg@chromium.org>,
"Quentin Schulz" <quentin.schulz@cherry.de>,
"Kory Maincent" <kory.maincent@bootlin.com>,
"Mattijs Korpershoek" <mkorpershoek@kernel.org>,
"Martin Schwan" <m.schwan@phytec.de>,
"Anshul Dalal" <anshuld@ti.com>,
"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
"Sughosh Ganu" <sughosh.ganu@arm.com>,
"Aristo Chen" <jj251510319013@gmail.com>,
"牛 志宏" <Zone.Niuzh@hotmail.com>,
"Marek Vasut" <marek.vasut+renesas@mailbox.org>,
"Heinrich Schuchardt" <xypron.glpk@gmx.de>,
"Wolfgang Wallner" <wolfgang.wallner@at.abb.com>,
"Frank Wunderlich" <frank-w@public-files.de>,
"David Lechner" <dlechner@baylibre.com>,
"Osama Abdelkader" <osama.abdelkader@gmail.com>,
"Mikhail Kshevetskiy" <mikhail.kshevetskiy@iopsys.eu>,
"Michael Trimarchi" <michael@amarulasolutions.com>,
"Miquel Raynal" <miquel.raynal@bootlin.com>,
"Andrew Goodbody" <andrew.goodbody@linaro.org>,
"Yegor Yefremov" <yegorslists@googlemail.com>,
"Mike Looijmans" <mike.looijmans@topic.nl>,
"Weijie Gao" <weijie.gao@mediatek.com>,
"Alexander Stein" <alexander.stein@ew.tq-group.com>,
"Neil Armstrong" <neil.armstrong@linaro.org>,
"Mayuresh Chitale" <mchitale@ventanamicro.com>,
"Paul HENRYS" <paul.henrys_ext@softathome.com>,
u-boot@lists.denx.de, "John Crispin" <john@phrozen.org>,
"Paul Spooren" <mail@aparcar.org>,
"Marek Vasut" <marek.vasut@mailbox.org>
Subject: Re: [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading
Date: Wed, 18 Feb 2026 23:08:48 +0000 [thread overview]
Message-ID: <aZZGgCp4WqCLoSLs@makrotopia.org> (raw)
In-Reply-To: <aZX2APcJvmU4XSIy@makrotopia.org>
On Wed, Feb 18, 2026 at 05:25:29PM +0000, Daniel Golle wrote:
> On Wed, Feb 18, 2026 at 09:58:39AM -0600, Tom Rini wrote:
> > On Tue, Feb 17, 2026 at 10:25:13PM +0000, Daniel Golle wrote:
> > > [...]
> > > As the existing code expects the whole image to reside in RAM and only
> > > take care of validation, decompression and relocation, I had to extend
> > > image-fit.c to use the image_loader to only load the parts *from
> > > storage* which are actually needed, and if possible, load them directly
> > > to where they are supposed to go. Imho, the code is simple enough to
> > > just look at it:
> > >
> > > https://patchwork.ozlabs.org/project/uboot/patch/ab7837536e4567b90d7cb662984dd7e637ef4361.1771275704.git.daniel@makrotopia.org/
> > >
> > > At this stage (because I first wanted to discuss the general approach)
> > > the patch still skips some parts of image-fit.c, which is obviously not
> > > acceptable for upstream inclusion, but good enough to demonstrate the
> > > idea and also try it in practise.
> > >
> > > Ie. the 'goto storage_loaded' has to go away and all of image-fit.c has
> > > to be changed to equally work on RAM-backed or storage-backed images.
> >
> > I was talking with Marek to recall some of the details about what we can
> > and can't (easily..) do today with external data and he remidned me of
> > something. So one big concern here is that we have to be care to not
> > re-open things like:
> > https://nvd.nist.gov/vuln/detail/CVE-2023-39902
> > or otherwise allow for mix-and-match type attacks by having some sort of
> > partial reads allowed.
> >
> > So a specialized partial-read of FIT images, in full U-Boot (not just
> > SPL), is something to figure out, but may also invalidate one of your
> > design goals because you do have to authenticate the whole image, unless
> > there's something both secure and clever I'm missing.
>
> The idea here is to have one or more IH_TYPE_FILESYSTEM subimages which
> do not have hash-* subnodes at all, hence, if there is anyway nothing to
> validate and they do not need to be loaded to RAM (ie. no load address),
> they can be skipped entirely, even if listed as 'loadable' (which is how
> the parser in the kernel currently knows which filesystem image to map;
> we could introduce a new property different from 'loadables', of course).
> Everything else which is part of the selected configuration node of
> course has to be loaded and authenticated.
Thinking about this a bit more I think that it would still be good
to have a way to validate the whole image also within U-Boot, but
add a way to mark the image as "no need to authenticate at boot" using
a new property in ITS, eg. containing the dm-vierty root hash which is
passed on to Linux via cmdline.
This would have the advantage that U-Boot can still authenticate the
whole image because hash-* and sign-* nodes are, eg. when loading it via TFTP and before writing it flash
during firmware recovery.
What do you think?
Do you agree that having 'dm-verity-root-hash = "....."' in addition to
the existing 'hash-*' and/or 'signature-*' properties would be a good
idea, and that then allowing to skip authenticating that specific
subimage at boot (but not in other cases, eg. 'iminfo' should still
always authenticate the whole image).
>
> To compensate for the authentication of IH_TYPE_FILESYSTEM subimages not
> done by U-Boot before launching Linux, the dm-verity root hash passed to
> Linux via cmdline should be part of the signed configuration, eg. by
> including an image of IH_TYPE_SCRIPT modifying 'bootargs', or by coming
> up with a new image type specifically for that purpose. Or, even better
> but a bit more involved, include the dm-verity roothash in the ITS spec
> instead of the hash-* nodes.
>
> In terms of security, anyway only dm-verity makes sense, as there is no
> point in validating the filesystem subimage if what is validated then
> isn't also what is used -- one could quickly swap the storage device
> after U-Boot has launched the kernel and before Linux mounts the rootfs
> (from storage!) ending up with a different rootfs than what U-Boot had
> previously validated when authenticating the image.
next prev parent reply other threads:[~2026-02-18 23:14 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 21:21 [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 01/20] boot: add image_loader on-demand loading abstraction Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 02/20] boot: image-loader: add block device backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 03/20] mtd: add mtd_read_skip_bad() helper Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 04/20] boot: image-loader: add MTD backend Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 05/20] cmd: ubi: export ubi_find_volume() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 06/20] mtd: set flash_node on DT-created partitions Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 07/20] cmd: ubi: add ubi_part_from_mtd() Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 08/20] boot: image-loader: add UBI volume backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:51 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-23 19:24 ` Daniel Golle
2026-02-23 19:30 ` Mikhail Kshevetskiy
2026-02-23 19:32 ` Mikhail Kshevetskiy
2026-02-24 0:12 ` Daniel Golle
2026-02-24 0:40 ` Mikhail Kshevetskiy
2026-02-24 1:06 ` Daniel Golle
2026-02-23 20:06 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 09/20] boot: fit: support on-demand loading in fit_image_load() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:47 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-24 12:41 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 10/20] cmd: bootm: accept storage device as image source Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 11/20] test: boot: add image_loader unit tests Daniel Golle
2026-02-17 19:05 ` Tom Rini
2026-02-19 13:10 ` Simon Glass
2026-02-19 14:04 ` Tom Rini
2026-02-19 14:34 ` Simon Glass
2026-02-19 15:41 ` Tom Rini
2026-02-16 21:23 ` [RFC PATCH 12/20] doc: bootm: document direct storage boot Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 13/20] boot: bootmeth: add OpenWrt boot method skeleton Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 14:00 ` Tom Rini
2026-02-19 14:31 ` Simon Glass
2026-02-19 15:31 ` Tom Rini
2026-02-19 16:52 ` Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 14/20] boot: bootmeth: openwrt: implement read_bootflow for block devices Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 15/20] boot: bootmeth: openwrt: implement boot via bootm storage path Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 16/20] boot: bootdev: add MTD boot device Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 17/20] boot: bootdev: add UBI " Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:56 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 18/20] boot: bootmeth: openwrt: support MTD and UBI bootdevs Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 19/20] boot: bootmeth: openwrt: add openwrt_boot_script hook for bootconf Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 20/20] boot: bootmeth: openwrt: add slot configuration from environment Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 22:16 ` [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Marek Vasut
2026-02-17 1:18 ` Daniel Golle
2026-02-17 2:04 ` Marek Vasut
2026-02-17 13:02 ` Daniel Golle
2026-02-17 19:15 ` Tom Rini
2026-02-17 13:32 ` Simon Glass
2026-02-17 15:08 ` Tom Rini
2026-02-17 17:46 ` Tom Rini
2026-02-23 19:32 ` Tom Rini
2026-02-24 11:57 ` Daniel Golle
2026-02-24 17:24 ` Tom Rini
2026-02-25 14:34 ` Daniel Golle
2026-02-25 22:16 ` Tom Rini
2026-02-25 23:49 ` Daniel Golle
2026-02-26 18:45 ` Tom Rini
2026-02-26 23:44 ` Simon Glass
2026-02-17 18:13 ` Tom Rini
2026-02-17 19:28 ` Daniel Golle
2026-02-17 19:35 ` Tom Rini
2026-02-17 21:07 ` Daniel Golle
2026-02-17 21:18 ` Tom Rini
[not found] ` <aZTqyRfqYe1iJ9EY@makrotopia.org>
2026-02-18 15:58 ` Tom Rini
2026-02-18 17:25 ` Daniel Golle
2026-02-18 20:33 ` Tom Rini
2026-02-24 0:37 ` Daniel Golle
2026-02-24 14:24 ` Tom Rini
2026-02-24 14:36 ` Daniel Golle
2026-02-18 23:08 ` Daniel Golle [this message]
2026-02-19 15:29 ` Tom Rini
2026-02-17 19:20 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZZGgCp4WqCLoSLs@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=Zone.Niuzh@hotmail.com \
--cc=alexander.stein@ew.tq-group.com \
--cc=andrew.goodbody@linaro.org \
--cc=anshuld@ti.com \
--cc=dlechner@baylibre.com \
--cc=frank-w@public-files.de \
--cc=ilias.apalodimas@linaro.org \
--cc=jj251510319013@gmail.com \
--cc=john@phrozen.org \
--cc=kory.maincent@bootlin.com \
--cc=m.schwan@phytec.de \
--cc=mail@aparcar.org \
--cc=marek.vasut+renesas@mailbox.org \
--cc=marek.vasut@mailbox.org \
--cc=mchitale@ventanamicro.com \
--cc=michael@amarulasolutions.com \
--cc=mike.looijmans@topic.nl \
--cc=mikhail.kshevetskiy@iopsys.eu \
--cc=miquel.raynal@bootlin.com \
--cc=mkorpershoek@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=osama.abdelkader@gmail.com \
--cc=paul.henrys_ext@softathome.com \
--cc=quentin.schulz@cherry.de \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@arm.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=weijie.gao@mediatek.com \
--cc=wolfgang.wallner@at.abb.com \
--cc=xypron.glpk@gmx.de \
--cc=yegorslists@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox