[{"id":3678342,"web_url":"http://patchwork.ozlabs.org/comment/3678342/","msgid":"<CAFLszTiW=ysumFM=H580CZEeH=Z6_EqJaNmpN5wwqGD+Csp=VA@mail.gmail.com>","list_archive_url":null,"date":"2026-04-16T19:36:33","subject":"Re: [PATCH v2 4/7] tools: mkimage: add dm-verity Merkle-tree\n generation","submitter":{"id":6170,"url":"http://patchwork.ozlabs.org/api/people/6170/","name":"Simon Glass","email":"sjg@chromium.org"},"content":"Hi Daniel,\n\nOn 2026-04-16T01:46:15, Daniel Golle <daniel@makrotopia.org> wrote:\n> tools: mkimage: add dm-verity Merkle-tree generation\n>\n> When mkimage encounters a dm-verity subnode inside a component image\n> node it now automatically invokes veritysetup(8) with --no-superblock\n> to generate the Merkle hash tree, screen-scrapes the Root hash and Salt\n> from the tool output, and writes the computed properties back into the\n> FIT blob.\n>\n> The user only needs to specify algorithm, data-block-size, and\n> hash-block-size in the ITS; mkimage fills in digest, salt,\n> num-data-blocks, and hash-start-block.  Because --no-superblock is\n> used, hash-start-block equals num-data-blocks with no off-by-one.\n>\n> The image data property is replaced with the expanded content (original\n> data followed directly by the hash tree) so that subsequent hash and\n> signature subnodes operate on the complete image.\n>\n> fit_image_add_verification_data() is restructured into two passes:\n> dm-verity first (may grow data), then hashes and signatures.\n>\n> [...]\n\n> diff --git a/tools/image-host.c b/tools/image-host.c\n> @@ -626,6 +629,309 @@ int fit_image_cipher_data(const char *keydir, void *keydest,\n> +     uint32_t hash_start_block;\n> ...\n> +     /* hash tree starts immediately after data (no superblock) */\n> +     hash_start_block = hash_offset / hash_block_size;\n\nThe check for num_data_blocks overflowdoesn't protect against\nhash_start_block overflow when hash-block-size < data-block-size. For\nexample, if data_block_size is 4096 and hash_block_size is 512,\nhash_start_block can be 8x larger than num_data_blocks. Please can you\nadd a similar overflow check for hash_start_block?\n\nRegards,\nSimon","headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256\n header.s=google header.b=AJzq5qrh;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=chromium.org header.i=@chromium.org\n header.b=\"AJzq5qrh\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=chromium.org","phobos.denx.de;\n spf=pass smtp.mailfrom=sjg@chromium.org"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxSvC6BV6z1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 05:36:55 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 5905E8423E;\n\tThu, 16 Apr 2026 21:36:53 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 6AAA280086; Thu, 16 Apr 2026 21:36:51 +0200 (CEST)","from mail-ed1-x534.google.com (mail-ed1-x534.google.com\n [IPv6:2a00:1450:4864:20::534])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 1238180086\n for <u-boot@lists.denx.de>; Thu, 16 Apr 2026 21:36:47 +0200 (CEST)","by mail-ed1-x534.google.com with SMTP id\n 4fb4d7f45d1cf-671c4d08dc2so3543608a12.3\n for <u-boot@lists.denx.de>; Thu, 16 Apr 2026 12:36:47 -0700 (PDT)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; t=1776368206; cv=none;\n d=google.com; s=arc-20240605;\n b=Rwy0kkhbZAJBDA7QoykpWxGdLkIhXFl3SZJDtrcoSZuYx800Tg2ADzi2wk1nT9Saag\n 0Jg9xR0tHhda+ApDYN/Xfbk8ZdOKVG9j97H3Yj38lQ8SncPUHRCV/fq3Dy66mVsTy9WG\n YgwfBAk/tn7y52xJ0/7wuXmfnbZo18KcWykpNQiSdJw7hTkCgl5070hUG99mytUL2AzH\n 50ETJqpYLLiIHGPpXdI6CxOGVJxFfOOeLElRLM0CYw6x3o5OiOo/BZ4sfGw5sMFL49eL\n Gs32nus/lv3gD4cyh91WEHP807H++tT4SvlsjttM0chRzfgUs5OpVY/RVARuAS/+cRlw\n m7mw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:dkim-signature;\n bh=eDjf9DdFvk9B5T9ogRXGZDki9sdmBXN2s1JfKPWixME=;\n fh=cbYquVqJfSlv5DRvNQl5DfKkRDDjpF2iJAI/mtifNns=;\n b=DYpiCL9Bf/p9CKk5TA6pHvIOVEUehNseRdH9TRQQFX3TL0GafQwAN4CZCo3dXpgd9c\n mtuqYOh40wO9b21sEKCZ6LcMbss2mJ3YtLXHgZ3Xuq3On89J73Hh7cH4ISRh2i3HMCxe\n yGIjznqlH+c8fwmoOGHMGrWIEgoN95kVR9Zar2QCX8Vssy5M5txrUgzdNAT5ztsZ6gH6\n IqsnRog6ucshvnp5Sk0/GHgcZl4LZocnaQZgbe4vRK6KijNUglqCPrXTHMrCSUglfb8X\n W+4bV4YWl29CfZWjJrrSSs7GM6n7IW4CLBFze8kA3lAzkI/ndlsJHD7+Kywo5O57tCSv\n RiNw==; darn=lists.denx.de","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=chromium.org; s=google; t=1776368206; x=1776973006; darn=lists.denx.de;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:from:to:cc:subject:date:message-id:reply-to;\n bh=eDjf9DdFvk9B5T9ogRXGZDki9sdmBXN2s1JfKPWixME=;\n b=AJzq5qrhgkFm/PoFQKyCnJJlBPkMCicoUDPwnaSCClzw7NzubKqgqwOuw9sVPI9nBS\n Z8X63l6YXBQsEq7lQiYdfgzbHPwHsnQbq84E4aGQoHCemtEIMiQ/FrR01RdFqAkdpPzz\n kIObjymN/sDGs7lUjV4GLb92Qwk+mvToHqT+A=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776368206; x=1776973006;\n h=cc:to:subject:message-id:date:from:in-reply-to:references\n :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=eDjf9DdFvk9B5T9ogRXGZDki9sdmBXN2s1JfKPWixME=;\n b=WJjiWiKYNU+j8lOJPjyEGcFy3nK1B3o8YYJ7E4+PfQHMH1QIGH4yLE7yfjO7M6lWno\n ILBGRyN2SCCSXkXtJupUvk+NBANGGg5Y1oJ3tRsuaQR3QkqfsfBjQvMS+01IK8JHM5vL\n wHHQ+4lgIXYPMNNfTCCiipvNkY3KQCiJYmrNZQ7JXKNOId6LjCJT7j85ZBO62fcsykSL\n KAGFXHGJTZVbTTYTSxfw2mVsODxWKbZPJDcMVpCY2jGxYuvVfp27GaRogphwYn/c17N5\n rS37RPBsTs3TcRPXi0Y/77th4frdslG0HTsXiikL3IvZmiKv8hHWhx77dAbLz0+907OV\n ob/Q==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+sI9vA4DFMUeTVa1oW3NpN6V6TlLnX36lUSOL57NH3VEO0xCrHAnJe8C3YI1LKmtnl5F1cGJo=@lists.denx.de","X-Gm-Message-State":"AOJu0YxcGWGSpp7xeScJB2jRbAOswEvjFbSzgSN9VqXnwPt66sFO8spy\n eGMqC6uqnIu90y7Vsbi4GpQgtehReOiIoslWm0isA6jE3PGF0v+INRm2POfrYN/W1Ut4x+Agvpu\n /wlFLu73mhoYJ+E9MQaFchL10f8SpZbEgT6N432z+","X-Gm-Gg":"AeBDievT2c08/uZbFcIOGvWt9ISK1vFTSpmSiDCN0iMBGuLjaeupHzjlWAvNlnfSjS7\n D3T1DKgCMjMAytV0lJQvIUc5QEve+VQx3YUqraFUBzmbLEo3AEGP/RstISXQEXIyWf1stEWqskA\n Pv57s3DnEfqwT8OG5iMk9SNYUmUes2ChMM45+ktxL/OEvPbCNdhh0sVbUSnjz3g1gDDmPvYNJxP\n 6A3UiqREXO5POJ7j0UrIRTt4u/5/tvoDQZUiXId9ivnGmgcPKczKK1smad8qZaPGQzCxBUg462Z\n /0HC8dE5caDxijqZtV4O","X-Received":"by 2002:a17:907:d490:b0:b9c:f70f:7211 with SMTP id\n a640c23a62f3a-ba3de1c0476mr41412766b.44.1776368206285; Thu, 16 Apr 2026\n 12:36:46 -0700 (PDT)","MIME-Version":"1.0","References":"<cover.1776302805.git.daniel@makrotopia.org>\n <5945d65ed7d795cc753d76bc503a9c2e47fb6bb3.1776302806.git.daniel@makrotopia.org>","In-Reply-To":"\n <5945d65ed7d795cc753d76bc503a9c2e47fb6bb3.1776302806.git.daniel@makrotopia.org>","From":"Simon Glass <sjg@chromium.org>","Date":"Fri, 17 Apr 2026 07:36:33 +1200","X-Gm-Features":"AQROBzCVS0MhhBPaCdn60ClPjHRxOY7sb_pDnLnAGMCBBXfwdlaQkXIkxrIDEFw","Message-ID":"\n <CAFLszTiW=ysumFM=H580CZEeH=Z6_EqJaNmpN5wwqGD+Csp=VA@mail.gmail.com>","Subject":"Re: [PATCH v2 4/7] tools: mkimage: add dm-verity Merkle-tree\n generation","To":"daniel@makrotopia.org","Cc":"Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,\n Quentin Schulz <quentin.schulz@cherry.de>,\n Kory Maincent <kory.maincent@bootlin.com>,\n Mattijs Korpershoek <mkorpershoek@kernel.org>, Peng Fan <peng.fan@nxp.com>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>, Martin Schwan <m.schwan@phytec.de>,\n Anshul Dalal <anshuld@ti.com>,\n Ilias Apalodimas <ilias.apalodimas@linaro.org>,\n Sughosh Ganu <sughosh.ganu@arm.com>,\n Aristo Chen <jj251510319013@gmail.com>,\n Ludwig Nussel <ludwig.nussel@siemens.com>,\n Benjamin ROBIN <dev@benjarobin.fr>,\n Marek Vasut <marek.vasut+renesas@mailbox.org>,\n James Hilliard <james.hilliard1@gmail.com>,\n Wolfgang Wallner <wolfgang.wallner@at.abb.com>,\n Kunihiko Hayashi <hayashi.kunihiko@socionext.com>,\n David Lechner <dlechner@baylibre.com>,\n Neil Armstrong <neil.armstrong@linaro.org>,\n Mayuresh Chitale <mchitale@ventanamicro.com>,\n Jonas Karlman <jonas@kwiboo.se>, Shiji Yang <yangshiji66@outlook.com>,\n Rasmus Villemoes <ravi@prevas.dk>, Francois Berder <fberder@outlook.fr>,\n u-boot@lists.denx.de","Content-Type":"text/plain; charset=\"UTF-8\"","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]