From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
Daniel Golle <daniel@makrotopia.org>,
Ludwig Nussel <ludwig.nussel@siemens.com>,
Anton Ivanov <anton@binarly.io>,
Neil Armstrong <neil.armstrong@linaro.org>,
Marek Vasut <marek.vasut@mailbox.org>,
Quentin Schulz <quentin.schulz@cherry.de>,
Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
Randolph Sapp <rs@ti.com>, Francois Berder <fberder@outlook.fr>,
u-boot@lists.denx.de
Subject: [PATCH 0/3] boot: fit: authenticate the dm-verity roothash
Date: Sun, 12 Jul 2026 01:33:05 +0100 [thread overview]
Message-ID: <cover.1783816074.git.daniel@makrotopia.org> (raw)
A signed FIT configuration can delegate the integrity of a (potentially
large) root filesystem image to the kernel's dm-verity instead of having
U-Boot hash the whole payload at boot: the FIT carries a "dm-verity"
subnode with the roothash, salt and block parameters, U-Boot passes the
roothash to Linux through the dm-mod.create bootargs, and dm-verity then
validates the filesystem block by block against it.
For that to be safe the roothash has to be trusted, and in a signed
configuration the only thing that establishes trust is the configuration
signature. The roothash was not covered by it. fit_config_add_hash()
collected the image node, its hash subnodes and its cipher subnode into
the signed region, but not the dm-verity subnode, so the roothash, the
sole integrity anchor for the filesystem, was left unsigned.
The result is a verified-boot bypass for the root filesystem: an
attacker who can rewrite the boot medium can replace the filesystem,
recompute a matching dm-verity tree, write the new roothash into the
unsigned dm-verity subnode, and the configuration signature still
verifies. dm-verity then faithfully validates the malicious filesystem
against the attacker's roothash.
This series closes the gap.
Daniel Golle (3):
boot: fit: factor out node-path collection in fit_config_add_hash()
boot: fit: cover the dm-verity roothash with the config signature
test: fit: verify dm-verity roothash is covered by the config
signature
boot/image-fit-sig.c | 119 ++++++++++------
include/image.h | 25 ++++
test/boot/fit_verity.c | 194 ++++++++++++++++++++++++++
test/py/tests/test_fit_verity_sign.py | 162 +++++++++++++++++++++
tools/image-host.c | 22 +++
5 files changed, 483 insertions(+), 39 deletions(-)
create mode 100644 test/py/tests/test_fit_verity_sign.py
base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
--
2.55.0
next reply other threads:[~2026-07-12 0:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-12 0:33 Daniel Golle [this message]
2026-07-12 0:33 ` [PATCH 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-12 0:33 ` [PATCH 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-12 0:33 ` [PATCH 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle
2026-07-13 22:08 ` Tom Rini
2026-07-14 12:17 ` Simon Glass
2026-07-14 16:46 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1783816074.git.daniel@makrotopia.org \
--to=daniel@makrotopia.org \
--cc=anton@binarly.io \
--cc=fberder@outlook.fr \
--cc=ludwig.nussel@siemens.com \
--cc=marek.vasut@mailbox.org \
--cc=neil.armstrong@linaro.org \
--cc=quentin.schulz@cherry.de \
--cc=rs@ti.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=wolfgang.wallner@at.abb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox