From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>
Cc: "Simon Glass" <sjg@chromium.org>,
"Quentin Schulz" <quentin.schulz@cherry.de>,
"Kory Maincent" <kory.maincent@bootlin.com>,
"Mattijs Korpershoek" <mkorpershoek@kernel.org>,
"Martin Schwan" <m.schwan@phytec.de>,
"Anshul Dalal" <anshuld@ti.com>,
"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
"Sughosh Ganu" <sughosh.ganu@arm.com>,
"Aristo Chen" <jj251510319013@gmail.com>,
"牛 志宏" <Zone.Niuzh@hotmail.com>,
"Marek Vasut" <marek.vasut+renesas@mailbox.org>,
"Heinrich Schuchardt" <xypron.glpk@gmx.de>,
"Wolfgang Wallner" <wolfgang.wallner@at.abb.com>,
"Frank Wunderlich" <frank-w@public-files.de>,
"David Lechner" <dlechner@baylibre.com>,
"Osama Abdelkader" <osama.abdelkader@gmail.com>,
"Mikhail Kshevetskiy" <mikhail.kshevetskiy@iopsys.eu>,
"Michael Trimarchi" <michael@amarulasolutions.com>,
"Miquel Raynal" <miquel.raynal@bootlin.com>,
"Andrew Goodbody" <andrew.goodbody@linaro.org>,
"Yegor Yefremov" <yegorslists@googlemail.com>,
"Mike Looijmans" <mike.looijmans@topic.nl>,
"Weijie Gao" <weijie.gao@mediatek.com>,
"Alexander Stein" <alexander.stein@ew.tq-group.com>,
"Neil Armstrong" <neil.armstrong@linaro.org>,
"Mayuresh Chitale" <mchitale@ventanamicro.com>,
"Paul HENRYS" <paul.henrys_ext@softathome.com>,
u-boot@lists.denx.de, "John Crispin" <john@phrozen.org>,
"Paul Spooren" <mail@aparcar.org>,
"Marek Vasut" <marek.vasut@mailbox.org>
Subject: Re: [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading
Date: Tue, 24 Feb 2026 00:37:19 +0000 [thread overview]
Message-ID: <aZzyv1sUrnm2PKBc@makrotopia.org> (raw)
In-Reply-To: <20260218203314.GG3233182@bill-the-cat>
On Wed, Feb 18, 2026 at 02:33:14PM -0600, Tom Rini wrote:
> On Wed, Feb 18, 2026 at 05:25:20PM +0000, Daniel Golle wrote:
> > On Wed, Feb 18, 2026 at 09:58:39AM -0600, Tom Rini wrote:
> > > On Tue, Feb 17, 2026 at 10:25:13PM +0000, Daniel Golle wrote:
> > > > [...]
> > > > As the existing code expects the whole image to reside in RAM and only
> > > > take care of validation, decompression and relocation, I had to extend
> > > > image-fit.c to use the image_loader to only load the parts *from
> > > > storage* which are actually needed, and if possible, load them directly
> > > > to where they are supposed to go. Imho, the code is simple enough to
> > > > just look at it:
> > > >
> > > > https://patchwork.ozlabs.org/project/uboot/patch/ab7837536e4567b90d7cb662984dd7e637ef4361.1771275704.git.daniel@makrotopia.org/
> > > >
> > > > At this stage (because I first wanted to discuss the general approach)
> > > > the patch still skips some parts of image-fit.c, which is obviously not
> > > > acceptable for upstream inclusion, but good enough to demonstrate the
> > > > idea and also try it in practise.
> > > >
> > > > Ie. the 'goto storage_loaded' has to go away and all of image-fit.c has
> > > > to be changed to equally work on RAM-backed or storage-backed images.
> > >
> > > I was talking with Marek to recall some of the details about what we can
> > > and can't (easily..) do today with external data and he remidned me of
> > > something. So one big concern here is that we have to be care to not
> > > re-open things like:
> > > https://nvd.nist.gov/vuln/detail/CVE-2023-39902
> > > or otherwise allow for mix-and-match type attacks by having some sort of
> > > partial reads allowed.
> > >
> > > So a specialized partial-read of FIT images, in full U-Boot (not just
> > > SPL), is something to figure out, but may also invalidate one of your
> > > design goals because you do have to authenticate the whole image, unless
> > > there's something both secure and clever I'm missing.
> >
> > The idea here is to have one or more IH_TYPE_FILESYSTEM subimages which
> > do not have hash-* subnodes at all, hence, if there is anyway nothing to
> > validate and they do not need to be loaded to RAM (ie. no load address),
> > they can be skipped entirely, even if listed as 'loadable' (which is how
> > the parser in the kernel currently knows which filesystem image to map;
> > we could introduce a new property different from 'loadables', of course).
> > Everything else which is part of the selected configuration node of
> > course has to be loaded and authenticated.
> >
> > To compensate for the authentication of IH_TYPE_FILESYSTEM subimages not
> > done by U-Boot before launching Linux, the dm-verity root hash passed to
> > Linux via cmdline should be part of the signed configuration, eg. by
> > including an image of IH_TYPE_SCRIPT modifying 'bootargs', or by coming
> > up with a new image type specifically for that purpose. Or, even better
> > but a bit more involved, include the dm-verity roothash in the ITS spec
> > instead of the hash-* nodes.
> >
> > In terms of security, anyway only dm-verity makes sense, as there is no
> > point in validating the filesystem subimage if what is validated then
> > isn't also what is used -- one could quickly swap the storage device
> > after U-Boot has launched the kernel and before Linux mounts the rootfs
> > (from storage!) ending up with a different rootfs than what U-Boot had
> > previously validated when authenticating the image.
>
> Right, OK. What I was thinking about, but Marek corrected me on, is
> about where we may or may not have problems about authentication. So
> long as we start by reading in the whole of the FIT (which excludes
> external data, being external) and start the authentication with that,
> we should be fine.
>
> I have some other questions / concerns still, but there's also still a
> number of other emails I sent that're outstanding. So, can you please
> link to an itb that would be making use of your proposed feature? Being
> able to examine that would help me be more precise in my own questions,
> thanks.
I don't have any option at hand to host larger binaries anywhere public.
If you know any service which allows to do this for free without
requiring a complicated and personal-data-exposing sign-up procedure,
please let me know, I'll use that.
Meanwhile, as the content of the large data blobs probably anyway
doesn't matter for this discussion, here is the decompiled FIT structure:
/dts-v1/;
/ {
timestamp = <0x69987422>;
description = "ARM64 OpenWrt FIT (Flattened Image Tree)";
#address-cells = <0x01>;
images {
kernel-1 {
data-size = <0x5e4cdb>;
data-position = <0x4000>;
description = "ARM64 OpenWrt Linux-6.12.71";
type = "kernel";
arch = "arm64";
os = "linux";
compression = "gzip";
load = <0x44000000>;
entry = <0x44000000>;
hash-1 {
value = <0x5e864feb>;
algo = "crc32";
};
hash-2 {
value = <0x1029dbef 0xda4938de 0x16eda8c5 0x9c0fffc2 0x1a4c458f>;
algo = "sha1";
};
};
fdt-1 {
data-size = <0x7d10>;
data-position = <0x5e9000>;
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree blob";
type = "flat_dt";
load = <0x43f00000>;
arch = "arm64";
compression = "none";
hash-1 {
value = <0x331fdfaf>;
algo = "crc32";
};
hash-2 {
value = <0x4930ba36 0xe594a76b 0xcf6ba90b 0xa8c92ae5 0xdc68ed66>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-emmc {
data-size = <0x405>;
data-position = <0x5f1000>;
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-emmc";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0x59209fd3>;
algo = "crc32";
};
hash-2 {
value = <0xb76ad9bb 0x9619b789 0x8e920f02 0x27be0a3a 0x6154b007>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-nand {
data-size = <0x46c>;
data-position = "", "_ ";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-nand";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xaeedea4c>;
algo = "crc32";
};
hash-2 {
value = <0xc47f4473 0xcf3eb99a 0x284f63a0 0xb508857d 0xed829f97>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-nor {
data-size = <0x4be>;
data-position = "", "_0";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-nor";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xa3898f18>;
algo = "crc32";
};
hash-2 {
value = <0xc45f4ad9 0x30273fbc 0x6721b946 0xa380aca1 0xc9bbd5a4>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-sd {
data-size = <0x36b>;
data-position = "", "_@";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-sd";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xd0cb47a7>;
algo = "crc32";
};
hash-2 {
value = <0xb62232a8 0x23113c8a 0xc6973ef9 0x1748f275 0xe6e423fc>;
algo = "sha1";
};
};
fdt-mt7986a-bananapi-bpi-r3-respeaker-2mics {
data-size = <0x5b2>;
data-position = "", "_P";
description = "ARM64 OpenWrt bananapi_bpi-r3 device tree overlay mt7986a-bananapi-bpi-r3-respeaker-2mics";
type = "flat_dt";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xc8d3f33c>;
algo = "crc32";
};
hash-2 {
value = <0x29e3a558 0x75e9a9d8 0x34d88eaa 0x5c134e78 0xa05deef9>;
algo = "sha1";
};
};
rootfs-1 {
data-size = <0x1005000>;
data-position = "", "_`";
description = "ARM64 OpenWrt bananapi_bpi-r3 rootfs";
type = "filesystem";
arch = "arm64";
compression = "none";
hash-1 {
value = <0xde4b8717>;
algo = "crc32";
};
hash-2 {
value = <0x13535da6 0x7fa95cda 0x9331dc1 0x1cd01dd 0xaea3701e>;
algo = "sha1";
};
dm-verity {
block-size = <0x1000>;
data-blocks = <0xfe3>;
algo = "sha256";
root-hash = "61b01a3b94d7e1166ed34bbdf60a65944f49fcebced531d5cdc98b8b65b2a898";
salt = "73a9020ed5a88a54f8392dd1b141a6def3072461061275db72ef18e6e1851c6c";
};
};
};
configurations {
default = "config-mt7986a-bananapi-bpi-r3";
config-mt7986a-bananapi-bpi-r3 {
description = "OpenWrt bananapi_bpi-r3";
kernel = "kernel-1";
fdt = "fdt-1";
loadables = "rootfs-1";
};
mt7986a-bananapi-bpi-r3-emmc {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-emmc";
fdt = "fdt-mt7986a-bananapi-bpi-r3-emmc";
};
mt7986a-bananapi-bpi-r3-nand {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-nand";
fdt = "fdt-mt7986a-bananapi-bpi-r3-nand";
};
mt7986a-bananapi-bpi-r3-nor {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-nor";
fdt = "fdt-mt7986a-bananapi-bpi-r3-nor";
};
mt7986a-bananapi-bpi-r3-sd {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-sd";
fdt = "fdt-mt7986a-bananapi-bpi-r3-sd";
};
mt7986a-bananapi-bpi-r3-respeaker-2mics {
description = "OpenWrt bananapi_bpi-r3 overlay mt7986a-bananapi-bpi-r3-respeaker-2mics";
fdt = "fdt-mt7986a-bananapi-bpi-r3-respeaker-2mics";
};
};
};
next prev parent reply other threads:[~2026-02-24 0:47 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-16 21:21 [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 01/20] boot: add image_loader on-demand loading abstraction Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 02/20] boot: image-loader: add block device backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:21 ` [RFC PATCH 03/20] mtd: add mtd_read_skip_bad() helper Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 04/20] boot: image-loader: add MTD backend Daniel Golle
2026-02-16 21:21 ` [RFC PATCH 05/20] cmd: ubi: export ubi_find_volume() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 06/20] mtd: set flash_node on DT-created partitions Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 07/20] cmd: ubi: add ubi_part_from_mtd() Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 08/20] boot: image-loader: add UBI volume backend Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:51 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-23 19:24 ` Daniel Golle
2026-02-23 19:30 ` Mikhail Kshevetskiy
2026-02-23 19:32 ` Mikhail Kshevetskiy
2026-02-24 0:12 ` Daniel Golle
2026-02-24 0:40 ` Mikhail Kshevetskiy
2026-02-24 1:06 ` Daniel Golle
2026-02-23 20:06 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 09/20] boot: fit: support on-demand loading in fit_image_load() Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:47 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-24 12:41 ` Daniel Golle
2026-02-16 21:22 ` [RFC PATCH 10/20] cmd: bootm: accept storage device as image source Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:22 ` [RFC PATCH 11/20] test: boot: add image_loader unit tests Daniel Golle
2026-02-17 19:05 ` Tom Rini
2026-02-19 13:10 ` Simon Glass
2026-02-19 14:04 ` Tom Rini
2026-02-19 14:34 ` Simon Glass
2026-02-19 15:41 ` Tom Rini
2026-02-16 21:23 ` [RFC PATCH 12/20] doc: bootm: document direct storage boot Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 13/20] boot: bootmeth: add OpenWrt boot method skeleton Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 14:00 ` Tom Rini
2026-02-19 14:31 ` Simon Glass
2026-02-19 15:31 ` Tom Rini
2026-02-19 16:52 ` Daniel Golle
2026-02-16 21:23 ` [RFC PATCH 14/20] boot: bootmeth: openwrt: implement read_bootflow for block devices Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 15/20] boot: bootmeth: openwrt: implement boot via bootm storage path Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:23 ` [RFC PATCH 16/20] boot: bootdev: add MTD boot device Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 17/20] boot: bootdev: add UBI " Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-19 16:56 ` Daniel Golle
2026-02-23 17:51 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 18/20] boot: bootmeth: openwrt: support MTD and UBI bootdevs Daniel Golle
2026-02-19 13:09 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 19/20] boot: bootmeth: openwrt: add openwrt_boot_script hook for bootconf Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 21:24 ` [RFC PATCH 20/20] boot: bootmeth: openwrt: add slot configuration from environment Daniel Golle
2026-02-19 13:11 ` Simon Glass
2026-02-16 22:16 ` [RFC PATCH 00/20] boot: add OpenWrt boot method and on-demand FIT loading Marek Vasut
2026-02-17 1:18 ` Daniel Golle
2026-02-17 2:04 ` Marek Vasut
2026-02-17 13:02 ` Daniel Golle
2026-02-17 19:15 ` Tom Rini
2026-02-17 13:32 ` Simon Glass
2026-02-17 15:08 ` Tom Rini
2026-02-17 17:46 ` Tom Rini
2026-02-23 19:32 ` Tom Rini
2026-02-24 11:57 ` Daniel Golle
2026-02-24 17:24 ` Tom Rini
2026-02-25 14:34 ` Daniel Golle
2026-02-25 22:16 ` Tom Rini
2026-02-25 23:49 ` Daniel Golle
2026-02-26 18:45 ` Tom Rini
2026-02-26 23:44 ` Simon Glass
2026-02-17 18:13 ` Tom Rini
2026-02-17 19:28 ` Daniel Golle
2026-02-17 19:35 ` Tom Rini
2026-02-17 21:07 ` Daniel Golle
2026-02-17 21:18 ` Tom Rini
[not found] ` <aZTqyRfqYe1iJ9EY@makrotopia.org>
2026-02-18 15:58 ` Tom Rini
2026-02-18 17:25 ` Daniel Golle
2026-02-18 20:33 ` Tom Rini
2026-02-24 0:37 ` Daniel Golle [this message]
2026-02-24 14:24 ` Tom Rini
2026-02-24 14:36 ` Daniel Golle
2026-02-18 23:08 ` Daniel Golle
2026-02-19 15:29 ` Tom Rini
2026-02-17 19:20 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aZzyv1sUrnm2PKBc@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=Zone.Niuzh@hotmail.com \
--cc=alexander.stein@ew.tq-group.com \
--cc=andrew.goodbody@linaro.org \
--cc=anshuld@ti.com \
--cc=dlechner@baylibre.com \
--cc=frank-w@public-files.de \
--cc=ilias.apalodimas@linaro.org \
--cc=jj251510319013@gmail.com \
--cc=john@phrozen.org \
--cc=kory.maincent@bootlin.com \
--cc=m.schwan@phytec.de \
--cc=mail@aparcar.org \
--cc=marek.vasut+renesas@mailbox.org \
--cc=marek.vasut@mailbox.org \
--cc=mchitale@ventanamicro.com \
--cc=michael@amarulasolutions.com \
--cc=mike.looijmans@topic.nl \
--cc=mikhail.kshevetskiy@iopsys.eu \
--cc=miquel.raynal@bootlin.com \
--cc=mkorpershoek@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=osama.abdelkader@gmail.com \
--cc=paul.henrys_ext@softathome.com \
--cc=quentin.schulz@cherry.de \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@arm.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=weijie.gao@mediatek.com \
--cc=wolfgang.wallner@at.abb.com \
--cc=xypron.glpk@gmx.de \
--cc=yegorslists@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox