U-Boot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Golle <daniel@makrotopia.org>
To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
	Daniel Golle <daniel@makrotopia.org>,
	Ludwig Nussel <ludwig.nussel@siemens.com>,
	Anton Ivanov <anton@binarly.io>,
	Marek Vasut <marek.vasut@mailbox.org>,
	Neil Armstrong <neil.armstrong@linaro.org>,
	Quentin Schulz <quentin.schulz@cherry.de>,
	Jonas Karlman <jonas@kwiboo.se>, Randolph Sapp <rs@ti.com>,
	Wolfgang Wallner <wolfgang.wallner@at.abb.com>,
	Francois Berder <fberder@outlook.fr>,
	u-boot@lists.denx.de
Subject: [PATCH v2 0/3] boot: fit: authenticate the dm-verity roothash
Date: Tue, 14 Jul 2026 03:33:23 +0100	[thread overview]
Message-ID: <cover.1783995924.git.daniel@makrotopia.org> (raw)

A signed FIT configuration can delegate the integrity of a (potentially
large) root filesystem image to the kernel's dm-verity instead of having
U-Boot hash the whole payload at boot: the FIT carries a "dm-verity"
subnode with the roothash, salt and block parameters, U-Boot passes the
roothash to Linux through the dm-mod.create bootargs, and dm-verity then
validates the filesystem block by block against it.

For that to be safe the roothash has to be trusted, and in a signed
configuration the only thing that establishes trust is the configuration
signature. The roothash was not covered by it. fit_config_add_hash()
collected the image node, its hash subnodes and its cipher subnode into
the signed region, but not the dm-verity subnode, so the roothash, the
sole integrity anchor for the filesystem, was left unsigned.

The result is a verified-boot bypass for the root filesystem: an
attacker who can rewrite the boot medium can replace the filesystem,
recompute a matching dm-verity tree, write the new roothash into the
unsigned dm-verity subnode, and the configuration signature still
verifies. dm-verity then faithfully validates the malicious filesystem
against the attacker's roothash.

This series closes the gap.

v2: address comments by Tom Rini
 * drop the VISIBLE_IF_UT visibility macro; fit_config_get_signed_nodes()
   is now simply non-static (previously the function would end up being
   inlined, so there *is* a real cost to this)
 * document test_fit_verity_sign.py with pydoc docstrings including an
   ITS example, and add a page under doc/develop/pytest/ so the module
   is rendered in the generated documentation
 * collect Reviewed-by tags on patches 1 and 2

Daniel Golle (3):
  boot: fit: factor out node-path collection in fit_config_add_hash()
  boot: fit: cover the dm-verity roothash with the config signature
  test: fit: verify dm-verity roothash is covered by the config
    signature

 boot/image-fit-sig.c                        | 108 +++++++----
 doc/develop/pytest/test_fit_verity_sign.rst |  10 +
 include/image.h                             |  23 +++
 test/boot/fit_verity.c                      | 194 +++++++++++++++++++
 test/py/tests/test_fit_verity_sign.py       | 202 ++++++++++++++++++++
 tools/image-host.c                          |  22 +++
 6 files changed, 520 insertions(+), 39 deletions(-)
 create mode 100644 doc/develop/pytest/test_fit_verity_sign.rst
 create mode 100644 test/py/tests/test_fit_verity_sign.py


base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
-- 
2.55.0

             reply	other threads:[~2026-07-14  2:33 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14  2:33 Daniel Golle [this message]
2026-07-14  2:33 ` [PATCH v2 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-14  2:33 ` [PATCH v2 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-14  2:35 ` [PATCH v2 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1783995924.git.daniel@makrotopia.org \
    --to=daniel@makrotopia.org \
    --cc=anton@binarly.io \
    --cc=fberder@outlook.fr \
    --cc=jonas@kwiboo.se \
    --cc=ludwig.nussel@siemens.com \
    --cc=marek.vasut@mailbox.org \
    --cc=neil.armstrong@linaro.org \
    --cc=quentin.schulz@cherry.de \
    --cc=rs@ti.com \
    --cc=sjg@chromium.org \
    --cc=trini@konsulko.com \
    --cc=u-boot@lists.denx.de \
    --cc=wolfgang.wallner@at.abb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox