Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2074539/?format=api
{ "id": 2074539, "url": "http://patchwork.ozlabs.org/api/patches/2074539/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20250418-binman-pubkey-dir-v2-1-b6b90a765ffe@cherry.de/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20250418-binman-pubkey-dir-v2-1-b6b90a765ffe@cherry.de>", "list_archive_url": null, "date": "2025-04-18T11:26:07", "name": "[v2,1/2] binman: etype: fit: raise ValueError if key-name-hint is a path", "commit_ref": "2ddc47f9aa0581a907dd07cb4468ef6d4f3519dc", "pull_url": null, "state": "accepted", "archived": false, "hash": "e0dbf4b4d8eb32fcccfdbad463f46cb5344c769c", "submitter": { "id": 84425, "url": "http://patchwork.ozlabs.org/api/people/84425/?format=api", "name": "Quentin Schulz", "email": "foss+uboot@0leil.net" }, "delegate": { "id": 3184, "url": "http://patchwork.ozlabs.org/api/users/3184/?format=api", "username": "sjg", "first_name": "Simon", "last_name": "Glass", "email": "sjg@chromium.org" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20250418-binman-pubkey-dir-v2-1-b6b90a765ffe@cherry.de/mbox/", "series": [ { "id": 453380, "url": "http://patchwork.ozlabs.org/api/series/453380/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=453380", "date": "2025-04-18T11:26:06", "name": "binman: properly error out if path provided to key-name-hint in signature nodes", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/453380/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2074539/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2074539/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=0leil.net", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=0leil.net", "phobos.denx.de;\n spf=pass smtp.mailfrom=foss+uboot@0leil.net" ], "Received": [ "from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4ZfCBf5dk9z1yJW\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 18 Apr 2025 21:26:18 +1000 (AEST)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id D9A2882C8A;\n\tFri, 18 Apr 2025 13:26:27 +0200 (CEST)", "by phobos.denx.de (Postfix, from userid 109)\n id 43ED682EBE; Fri, 18 Apr 2025 13:26:25 +0200 (CEST)", "from smtp-42a9.mail.infomaniak.ch (smtp-42a9.mail.infomaniak.ch\n [84.16.66.169])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 30EC882E25\n for <u-boot@lists.denx.de>; Fri, 18 Apr 2025 13:26:23 +0200 (CEST)", "from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch\n [10.7.10.108])\n by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4ZfCBk60c3zmBR;\n Fri, 18 Apr 2025 13:26:22 +0200 (CEST)", "from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA\n id 4ZfCBj6BJJzRTt; Fri, 18 Apr 2025 13:26:21 +0200 (CEST)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-1.9 required=5.0 tests=BAYES_00,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,\n RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2", "From": "Quentin Schulz <foss+uboot@0leil.net>", "Date": "Fri, 18 Apr 2025 13:26:07 +0200", "Subject": "[PATCH v2 1/2] binman: etype: fit: raise ValueError if\n key-name-hint is a path", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "7bit", "Message-Id": "<20250418-binman-pubkey-dir-v2-1-b6b90a765ffe@cherry.de>", "References": "<20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de>", "In-Reply-To": "<20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de>", "To": "Simon Glass <sjg@chromium.org>,\n Alper Nebi Yasak <alpernebiyasak@gmail.com>, Tom Rini <trini@konsulko.com>,\n Alexander Kochetkov <al.kochet@gmail.com>,\n Lukas Funke <lukas.funke@weidmueller.com>", "Cc": "u-boot@lists.denx.de, Quentin Schulz <quentin.schulz@cherry.de>", "X-Mailer": "b4 0.14.2", "X-Infomaniak-Routing": "alpha", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "From: Quentin Schulz <quentin.schulz@cherry.de>\n\nmkimage doesn't fail if it cannot find the public key but it prints to\nstderr. Considering that btool.run() discards stderr, it means binman\nhappily returns an unsigned FIT and doesn't tell you something went\nwrong.\n\nBinman will actually find the file if there's a path in the\nkey-name-hint property but the current logic expects key-name-hint to be\na filename and thus returns the dirname of the found path for the key,\nbut with the original key-name-hint appended. This means we can have the\nfollowing:\n\n- key-name-hint = \"keys/dev\"\n- name = \"/home/qschulz/work/upstream/u-boot/keys/\"\n\nso we pass /home/qschulz/work/upstream/u-boot/keys/ to the -k option of\nmkimage but the FIT still contains \"keys/dev\" in key-name-hint which\nmeans mkimage will try to find the key at\n/home/qschulz/work/upstream/u-boot/keys/keys/, which doesn't exist.\n\nLet's assume paths are simply not supported (it is named key-name-hint\nand not key-path-hint after all) and raise an error if the property\ncontains a path so that the build fails and not quietly.\n\nFixes: 133c000ca334 (\"binman: implement signing FIT images during image build\")\nSigned-off-by: Quentin Schulz <quentin.schulz@cherry.de>\n---\n tools/binman/etype/fit.py | 3 +\n tools/binman/ftest.py | 18 ++++\n .../test/347_key_name_hint_dir_fit_signature.dts | 98 ++++++++++++++++++++++\n 3 files changed, 119 insertions(+)", "diff": "diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py\nindex 803fb66ea838f1f02da7fa42c121057de31ec2ef..284b19c4b882a91e4320e1c8267c3e6d935d8a00 100644\n--- a/tools/binman/etype/fit.py\n+++ b/tools/binman/etype/fit.py\n@@ -557,6 +557,7 @@ class Entry_fit(Entry_section):\n Raises:\n ValueError: Filename 'rsa2048.key' not found in input path\n ValueError: Multiple key paths found\n+ ValueError: 'dir/rsa2048' is a path not a filename\n \"\"\"\n def _find_keys_dir(node):\n for subnode in node.subnodes:\n@@ -565,6 +566,8 @@ class Entry_fit(Entry_section):\n if subnode.props.get('key-name-hint') is None:\n continue\n hint = subnode.props['key-name-hint'].value\n+ if '/' in hint:\n+ self.Raise(f\"'{hint}' is a path not a filename\")\n name = tools.get_input_filename(\n f\"{hint}.key\" if subnode.name.startswith('signature')\n else f\"{hint}.bin\")\ndiff --git a/tools/binman/ftest.py b/tools/binman/ftest.py\nindex 948fcc02259ae61d8f7ff8d4ec8b867c7f513bbf..5ea15b36a717a3bfe8fade3892e4039c046d2102 100644\n--- a/tools/binman/ftest.py\n+++ b/tools/binman/ftest.py\n@@ -7940,6 +7940,24 @@ fdt fdtmap Extract the devicetree blob from the fdtmap\n entry_args=entry_args,\n extra_indirs=[test_subdir])[0]\n \n+ def testKeyNameHintIsPathSimpleFit(self):\n+ \"\"\"Test that binman errors out on key-name-hint being a path\"\"\"\n+ if not elf.ELF_TOOLS:\n+ self.skipTest('Python elftools not available')\n+ entry_args = {\n+ 'of-list': 'test-fdt1',\n+ 'default-dt': 'test-fdt1',\n+ 'atf-bl31-path': 'bl31.elf',\n+ }\n+ test_subdir = os.path.join(self._indir, TEST_FDT_SUBDIR)\n+ with self.assertRaises(ValueError) as e:\n+ self._DoReadFileDtb(\n+ '347_key_name_hint_dir_fit_signature.dts',\n+ entry_args=entry_args,\n+ extra_indirs=[test_subdir])\n+ self.assertIn(\n+ 'Node \\'/binman/fit\\': \\'keys/rsa2048\\' is a path not a filename',\n+ str(e.exception))\n \n def testSimpleFitEncryptedData(self):\n \"\"\"Test an image with a FIT containing data to be encrypted\"\"\"\ndiff --git a/tools/binman/test/347_key_name_hint_dir_fit_signature.dts b/tools/binman/test/347_key_name_hint_dir_fit_signature.dts\nnew file mode 100644\nindex 0000000000000000000000000000000000000000..96e2126dadb319732b2a94769f1b20eaecc045e0\n--- /dev/null\n+++ b/tools/binman/test/347_key_name_hint_dir_fit_signature.dts\n@@ -0,0 +1,98 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tfit {\n+\t\t\tdescription = \"test desc\";\n+\t\t\t#address-cells = <1>;\n+\t\t\tfit,fdt-list = \"of-list\";\n+\t\t\tfit,sign;\n+\n+\t\t\timages {\n+\t\t\t\tu-boot {\n+\t\t\t\t\tdescription = \"test u-boot\";\n+\t\t\t\t\ttype = \"standalone\";\n+\t\t\t\t\tarch = \"arm64\";\n+\t\t\t\t\tos = \"u-boot\";\n+\t\t\t\t\tcompression = \"none\";\n+\t\t\t\t\tload = <0x00000000>;\n+\t\t\t\t\tentry = <0x00000000>;\n+\n+\t\t\t\t\tu-boot-nodtb {\n+\t\t\t\t\t};\n+\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+\n+\t\t\t\t\tsignature {\n+\t\t\t\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\t\t\t\tkey-name-hint = \"keys/rsa2048\";\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t\t@atf-SEQ {\n+\t\t\t\t\tfit,operation = \"split-elf\";\n+\t\t\t\t\tdescription = \"test tf-a\";\n+\t\t\t\t\ttype = \"firmware\";\n+\t\t\t\t\tarch = \"arm64\";\n+\t\t\t\t\tos = \"arm-trusted-firmware\";\n+\t\t\t\t\tcompression = \"none\";\n+\t\t\t\t\tfit,load;\n+\t\t\t\t\tfit,entry;\n+\t\t\t\t\tfit,data;\n+\n+\t\t\t\t\tatf-bl31 {\n+\t\t\t\t\t};\n+\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+\n+\t\t\t\t\tsignature {\n+\t\t\t\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\t\t\t\tkey-name-hint = \"keys/rsa2048\";\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t\t@fdt-SEQ {\n+\t\t\t\t\tdescription = \"test fdt\";\n+\t\t\t\t\ttype = \"flat_dt\";\n+\t\t\t\t\tcompression = \"none\";\n+\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+\n+\t\t\t\t\tsignature {\n+\t\t\t\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\t\t\t\tkey-name-hint = \"keys/rsa2048\";\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t};\n+\n+\t\t\tconfigurations {\n+\t\t\t\tdefault = \"@conf-uboot-DEFAULT-SEQ\";\n+\t\t\t\t@conf-uboot-SEQ {\n+\t\t\t\t\tdescription = \"uboot config\";\n+\t\t\t\t\tfdt = \"fdt-SEQ\";\n+\t\t\t\t\tfit,firmware = \"u-boot\";\n+\t\t\t\t\tfit,loadables;\n+\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+\n+\t\t\t\t\tsignature {\n+\t\t\t\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\t\t\t\tkey-name-hint = \"keys/rsa2048\";\n+\t\t\t\t\t\tsign-images = \"firmware\", \"loadables\", \"fdt\";\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t};\n+\t\t};\n+\t};\n+};\n", "prefixes": [ "v2", "1/2" ] }