[{"id":3687919,"web_url":"http://patchwork.ozlabs.org/comment/3687919/","msgid":"<CAFLszTjc1w3WTmXLbgQifH8ZBUyN-sF-NQ-bvYq45tqWscVuZw@mail.gmail.com>","list_archive_url":null,"date":"2026-05-07T16:39:32","subject":"Re: [v3,0/4] Improve FIT signature handling","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Ludwig,\n\nOn 2026-05-07T12:06:22, Ludwig Nussel <ludwig.nussel@siemens.com> wrote:\n\n> (optionally) enforce signatures so we can't accidentally boot\n> unsigned fit images.\n\nSince you are adding a new policy knob (FIT_SIGNATURE_REQUIRED) and a\nnew verifier path (fit_all_configurations_verify()), please can you\nadd coverage in test/py/tests/test_vboot.py for both the\nrequired-but-no-keys case and the iminfo signature path? Without tests\nit is easy for a future change to silently regress the fail-closed\nbehaviour.\n\nRegards,\nSimon","headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=MSM1Ia9f;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"MSM1Ia9f\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBHzJ2Z5tz1yKd\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 08 May 2026 02:39:56 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 48FE684A4F;\n\tThu,  7 May 2026 18:39:48 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id DCF4784B02; Thu,  7 May 2026 18:39:46 +0200 (CEST)","from mail-ed1-x535.google.com (mail-ed1-x535.google.com\n [IPv6:2a00:1450:4864:20::535])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 04DF184A4D\n for <u-boot@lists.denx.de>; Thu,  7 May 2026 18:39:45 +0200 (CEST)","by mail-ed1-x535.google.com with SMTP id\n 4fb4d7f45d1cf-65c0891f4e9so1702571a12.1\n for <u-boot@lists.denx.de>; Thu, 07 May 2026 09:39:44 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1778171984; cv=none;\n d=google.com; s=arc-20240605;\n b=SwyOzsEBVUvNuCtt5W2/8s2bR8JAIETjDINTMpt2gDj6cwc/p5OOVGWclbj8AIYPSC\n nfBSsoWNX3FmNzqB1uda7LLXuGpkA6yEqT9k7jByggVhDbCqBG/meBaapjxnHKo1+3Ko\n bCbakFO576VqQKktmpysBSeExEtOXx5uEZl8ICZGeF5hGgk+rrSBiva8hgsATvICYf0t\n x3h9IHg6rHsOwyrr3v/Ouzrxgfu0hkhtAHeYN7gHPNrhq/YcB1kPfXWVHENfYLqTbg0a\n tJEoLuLkGdd0+sbamexFLOvzmD3G5r/WIlNk2f8BdpCM7FffdmJMeFfJsWDR5nP8uqbz\n +woQ==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=t5PKjOmp9K2p1STBMVXPZ1lsnMprWf2ICkw7Z+rjtwg=;\n fh=PKLU0xSNpsrGOfl0gQ17G1VaKViMSq+Ysfr2F1w3zVg=;\n b=LEZOyR1BEAi836bp1Iujs3ghXPXK6jVqZB+lr4LUV/VbH/d17Oyt95kkMxYyFB8I6J\n KSFMz4EQOjsbR0U1xc/tSWgu86riw+UgyAQr/er0SvWRR7ARU2rvevxjuYbMLrbdpK3o\n 1QdeEV4uBXMG5FRZQauM7b5xp4IJ+aDHICl88g5EqG3hWRwXiULORwHBi1qfZBR7KN/j\n QaIqOFlPhpyKbwbB+KsZMLVKJQ6UULWF5heMd2Cfm+ritCYYPPL/i1maVR2JTSj6dD5G\n Ua/2E3031sx0baX6VYZL0b6nSQ+zqmL7puxowwOlNywPs+3bYju0BI2oIB7fs1/bK6Uq\n YCrw==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1778171984; x=1778776784; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=t5PKjOmp9K2p1STBMVXPZ1lsnMprWf2ICkw7Z+rjtwg=;\n b=MSM1Ia9f77/4bN1yQFmnPH9D+wwkenav8+LdxDdt8jY7MR5UlNI0CKmnvuyVTGMeL+\n Gs2OADjMq7MvnQovK/zy9SI3g5WD+USGXBd7PioY+MkFVbtHeYAR2WGKeR043xw8Fb04\n eOkc3emp7ZvPbPcgTWjpbujvAJTy2Gf0g+uu8=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778171984; x=1778776784;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=t5PKjOmp9K2p1STBMVXPZ1lsnMprWf2ICkw7Z+rjtwg=;\n b=ZI9PihjvDXAMEWvj7Mz96A06jlUG9iS/JeZMcEepeMOeiKBvHB2IsXXwlv3hGdVd7q\n VGZ2LVc3Tq4anCRNxzMdWqoZ7NPtSHdzvb23T3nqU1wtVQbZ/4ZSMDSWqk4G+YyNg11V\n GQ7PaVoL6OHVQMfqpjoYJmxnpcCjL+AjyWoFQQsCu4Ubh2NhK57DchsX+DQ8NoLyAb5V\n FWovGP1C2UHIbKpqukbX9zeiPMSRZ8qzo9LxmfCR1KBi5gkG6kWPeVbkOA+lxvAz8ehk\n BjhxSjGYupXdKZBzzVVPHtys4/RGnZSLVldOIFpkSXxXiCyEcNoIJhBDgnCsfF8jMbi5\n 45Tg==","X-Gm-Message-State":"AOJu0YzEJWGJk+w1OhhQV3jAbOile6xFziCvJ2q3YSa8Iv9QYDWN3oGV\n YHnPNz7ljKzGuQyptpWCu9gy0b8nWkv/TUh8EXLBK+q5F3xWy3KJjBZqaK7LqaXWWlL746u8QMD\n X1nHcKKYDAVdaB/Meqri0I9Gq3J1G+2gePP+FWKV60GwqYpqp5aw=","X-Gm-Gg":"AeBDiet13YGuuBeoGfPwBgQNELfhK7B424GObt1OLPtcmG7nosrQ+bP6i+gxVKE/qbW\n PqZpTgd+/IAfS+2yTuNLT1uD/zANDvnWY8WvOgNxYsVjc8dvxSDa/zBX9kbgjkPQ9n78/0i4qun\n W+lR8THmZ3JFSMqYoIwVvTAPNLnsK8K3TBDvLM9Yn636c9r1Xs5e6Q7+YOOYJNBg4OndEGHVEm+\n q7EfOolWPHGJYb7kO7K3vqSGv1mt9ACXIYh2v0weTpre2/F0F/IFInreAkHxgYL4Hu3LFCzNQp4\n EbdL9w==","X-Received":"by 2002:a17:907:c9a1:b0:bc5:ac7e:25b7 with SMTP id\n a640c23a62f3a-bc5ac7e3229mr345427266b.28.1778171984109; Thu, 07 May 2026\n 09:39:44 -0700 (PDT)","MIME-Version":"1.0","References":"<20260507120735.310325-1-ludwig.nussel@siemens.com>","In-Reply-To":"<20260507120735.310325-1-ludwig.nussel@siemens.com>","From":"Simon Glass <sjg@chromium.org>","Date":"Thu, 7 May 2026 10:39:32 -0600","X-Gm-Features":"AVHnY4ItoJre4IWfxDi9_fbaLYACM7PfQdwHj1477xvXsB0wRKQSXIt_U1g2yZ4","Message-ID":"\n <CAFLszTjc1w3WTmXLbgQifH8ZBUyN-sF-NQ-bvYq45tqWscVuZw@mail.gmail.com>","Subject":"Re: [v3,0/4] Improve FIT signature handling","To":"ludwig.nussel@siemens.com","Cc":"u-boot@lists.denx.de","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]