u-boot.git/boot/image-fit-sig.c, branch master Unnamed repository; edit this file 'description' to name the repository. Remove confusing NULL from error message 2026-03-27T19:10:00+00:00 Ludwig Nussel ludwig.nussel@siemens.com 2026-03-10T15:58:27+00:00 ce98d46395b748ecaf9ca1398d3b7e78e123bfd7 If no signature could be verified and the loop terminates, the iterator 'noffset' has no meaningful value so name yields NULL. Signed-off-by: Ludwig Nussel <ludwig.nussel@siemens.com> 
If no signature could be verified and the loop terminates, the iterator
'noffset' has no meaningful value so name yields NULL.

Signed-off-by: Ludwig Nussel <ludwig.nussel@siemens.com>
Add back debug output of hashed nodes 2026-03-27T19:10:00+00:00 Ludwig Nussel ludwig.nussel@siemens.com 2026-03-10T15:58:26+00:00 40269a6e01e55275b0146ebb4db14f801cb05cde Commit 2092322b31cc ("boot: Add fit_config_get_hash_list() to build signed node list") removed printing the list of hashed nodes during verification. Add it back to have a chance to compare the list when debugging. Signed-off-by: Ludwig Nussel <ludwig.nussel@siemens.com> 
Commit 2092322b31cc ("boot: Add fit_config_get_hash_list() to build
signed node list") removed printing the list of hashed nodes during
verification. Add it back to have a chance to compare the list when
debugging.

Signed-off-by: Ludwig Nussel <ludwig.nussel@siemens.com>
boot: Add fit_config_get_hash_list() to build signed node list 2026-03-09T15:49:50+00:00 Simon Glass simon.glass@canonical.com 2026-03-06T01:20:09+00:00 2092322b31cc8b1f8c9e2e238d1043ae0637b241 The hashed-nodes property in a FIT signature node lists which FDT paths are included in the signature hash. It is intended as a hint so should not be used for verification. Add a function to build the node list from scratch by iterating the configuration's image references. Skip properties known not to be image references. For each image, collect the path plus all hash and cipher subnodes. Use the new function in fit_config_check_sig() instead of reading 'hashed-nodes'. Update the test_vboot kernel@ test case: fit_check_sign now catches the attack at signature-verification time (the @-suffixed node is hashed instead of the real one, causing a mismatch) rather than at fit_check_format() time. Update the docs to cover this. The FIT spec can be updated separately. Signed-off-by: Simon Glass <simon.glass@canonical.com> Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/ Reported-by: Apple Security Engineering and Architecture (SEAR) Tested-by: Tom Rini <trini@konsulko.com> 
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.

Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.

Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.

Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.

Update the docs to cover this. The FIT spec can be updated separately.

Signed-off-by: Simon Glass <simon.glass@canonical.com>
Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <trini@konsulko.com>
image-fit-sig: skip in tools build if key is missing 2025-04-11T02:55:53+00:00 Daniel Golle daniel@makrotopia.org 2025-03-29T23:23:51+00:00 40dcd5088b7f64ee2841c233c8ab82ce9c188d73 Skip signature verification in case no public key was given in order to allow using fit_check_sign also to validate uImage.FIT images without signatures. Guarded by USE_HOSTCC macro the behavior on target is unchanged. Signed-off-by: Daniel Golle <daniel@makrotopia.org> 
Skip signature verification in case no public key was given in order to
allow using fit_check_sign also to validate uImage.FIT images without
signatures. Guarded by USE_HOSTCC macro the behavior on target is
unchanged.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
image-fit-sig: Remove padding check 2024-10-21T23:52:52+00:00 Chia-Wei Wang chiawei_wang@aspeedtech.com 2024-10-14T09:56:19+00:00 2e6cf57e8eabfe9c0ca62fbcd7fd2eeaa5ce6695 The padding algorithm is not mandatory for all signing algorithm. For example, ECDSA does not require a padding method. For RSA requiring PKCS padding, the belonging info->crypto(), assigned with rsa_verify_key(), also has the check on the validity of info->padding(). Thus, remove the info->padding check from the upper, general layer. Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
The padding algorithm is not mandatory for all signing algorithm.
For example, ECDSA does not require a padding method.

For RSA requiring PKCS padding, the belonging info->crypto(), assigned
with rsa_verify_key(), also has the check on the validity of info->padding().

Thus, remove the info->padding check from the upper, general layer.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
global: Use CONFIG_XPL_BUILD instead of CONFIG_SPL_BUILD 2024-10-11T17:44:48+00:00 Simon Glass sjg@chromium.org 2024-09-30T01:49:50+00:00 1d6132e2a2b1217567b88ddd6d11662afd4001df Complete this rename for all directories outside arch/ board/ drivers/ and include/ Use the new symbol to refer to any 'SPL' build, including TPL and VPL Signed-off-by: Simon Glass <sjg@chromium.org> 
Complete this rename for all directories outside arch/ board/ drivers/
and include/

Use the new symbol to refer to any 'SPL' build, including TPL and VPL

Signed-off-by: Simon Glass <sjg@chromium.org>
Restore patch series "arm: dts: am62-beagleplay: Fix Beagleplay Ethernet" 2024-05-20T19:35:03+00:00 Tom Rini trini@konsulko.com 2024-05-20T19:35:03+00:00 03de305ec48b0bb28554372abb40ccd46dbe0bf9 As part of bringing the master branch back in to next, we need to allow for all of these changes to exist here. Reported-by: Jonas Karlman <jonas@kwiboo.se> Signed-off-by: Tom Rini <trini@konsulko.com> 
As part of bringing the master branch back in to next, we need to allow
for all of these changes to exist here.

Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
Revert "Merge patch series "arm: dts: am62-beagleplay: Fix Beagleplay Ethernet"" 2024-05-19T14:16:36+00:00 Tom Rini trini@konsulko.com 2024-05-19T02:20:43+00:00 d678a59d2d719da9e807495b4b021501f2836ca5 When bringing in the series 'arm: dts: am62-beagleplay: Fix Beagleplay Ethernet"' I failed to notice that b4 noticed it was based on next and so took that as the base commit and merged that part of next to master. This reverts commit c8ffd1356d42223cbb8c86280a083cc3c93e6426, reversing changes made to 2ee6f3a5f7550de3599faef9704e166e5dcace35. Reported-by: Jonas Karlman <jonas@kwiboo.se> Signed-off-by: Tom Rini <trini@konsulko.com> 
When bringing in the series 'arm: dts: am62-beagleplay: Fix Beagleplay
Ethernet"' I failed to notice that b4 noticed it was based on next and
so took that as the base commit and merged that part of next to master.

This reverts commit c8ffd1356d42223cbb8c86280a083cc3c93e6426, reversing
changes made to 2ee6f3a5f7550de3599faef9704e166e5dcace35.

Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
boot: Remove <common.h> and add needed includes 2024-05-06T21:05:04+00:00 Tom Rini trini@konsulko.com 2024-04-27T14:11:02+00:00 c4b646d43608500145b3934c9db2ee82aab3a837 Remove <common.h> from all "boot/" files and when needed add missing include files directly. Signed-off-by: Tom Rini <trini@konsulko.com> 
Remove <common.h> from all "boot/" files and when needed add
missing include files directly.

Signed-off-by: Tom Rini <trini@konsulko.com>
mkimage: fit: Fix signing of configs with external data 2022-10-26T15:36:06+00:00 Sean Anderson sean.anderson@seco.com 2022-10-20T19:41:10+00:00 0abe3323f5062032f8deb71cdc0635b124855d16 Just like we exclude data-size, data-position, and data-offset from fit_config_check_sig, we must exclude them while signing as well. While we're at it, use the FIT_DATA_* defines for fit_config_check_sig as welll. Fixes: 8edecd3110e ("fit: Fix verification of images with external data") Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding") Signed-off-by: Sean Anderson <sean.anderson@seco.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Just like we exclude data-size, data-position, and data-offset from
fit_config_check_sig, we must exclude them while signing as well.

While we're at it, use the FIT_DATA_* defines for fit_config_check_sig
as welll.

Fixes: 8edecd3110e ("fit: Fix verification of images with external data")
Fixes: c522949a29d ("rsa: sig: fix config signature check for fit with padding")
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>