diff options
| author | Simon Glass <[email protected]> | 2026-03-05 18:20:09 -0700 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2026-03-09 09:49:50 -0600 |
| commit | 2092322b31cc8b1f8c9e2e238d1043ae0637b241 (patch) | |
| tree | 4fc75ff4ae16fc2727d1c445370c43baddafde90 /test | |
| parent | 532a4804e965f001db6aec9ffc2ce0639eb3cf25 (diff) | |
boot: Add fit_config_get_hash_list() to build signed node list
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.
Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.
Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.
Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.
Update the docs to cover this. The FIT spec can be updated separately.
Signed-off-by: Simon Glass <[email protected]>
Closes: https://lore.kernel.org/u-boot/[email protected]/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <[email protected]>
Diffstat (limited to 'test')
| -rw-r--r-- | test/py/tests/test_vboot.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 7a7f9c379de..19f3f981379 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -362,10 +362,14 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, shutil.copyfile(fit, efit) vboot_evil.add_evil_node(fit, efit, evil_kernel, 'kernel@') - msg = 'Signature checking prevents use of unit addresses (@) in nodes' + # fit_check_sign catches this via signature mismatch (the @ + # node is hashed instead of the real one) utils.run_and_log_expect_exception( ubman, [fit_check_sign, '-f', efit, '-k', dtb], - 1, msg) + 1, 'Failed to verify required signature') + + # bootm catches it earlier, at fit_check_format() time + msg = 'Signature checking prevents use of unit addresses (@) in nodes' run_bootm(sha_algo, 'evil kernel@', msg, False, efit) # Create a new properly signed fit and replace header bytes |