[{"id":3682808,"web_url":"http://patchwork.ozlabs.org/comment/3682808/","msgid":"<8dc3d041-cafb-4022-833b-64ee9c950d7e@cherry.de>","list_archive_url":null,"date":"2026-04-27T16:19:24","subject":"Re: [PATCH 2/4] iminfo: also verify signatures","submitter":{"id":88462,"url":"http://patchwork.ozlabs.org/api/people/88462/","name":"Quentin Schulz","email":"quentin.schulz@cherry.de"},"content":"Hi Ludwig,\n\nOn 4/27/26 5:03 PM, Ludwig Nussel wrote:\n> The iminfo command already verifies hashes of images. This change also\n> verifies signatures of configurations if enabled.\n> \n> Signed-off-by: Ludwig Nussel \n> ---\n> \n> boot/image-fit.c | 36 ++++++++++++++++++++++++++++++++++++\n> cmd/bootm.c | 7 +++++++\n> include/image.h | 1 +\n> 3 files changed, 44 insertions(+)\n> \n> diff --git a/boot/image-fit.c b/boot/image-fit.c\n> index 2d2709aa5b1..b2c6db79edb 100644\n> --- a/boot/image-fit.c\n> +++ b/boot/image-fit.c\n> @@ -1512,6 +1512,42 @@ int fit_all_image_verify(const void *fit)\n> \treturn 1;\n> }\n> \n> +int fit_all_configurations_verify(const void *fit)\n> +{\n\nPlease document this function. It's clearly surprising to me that the \nfunction successfully return if at least one conf node could be verified.\n\n> +\tint confs_noffset;\n> +\tint noffset;\n> +\tint r = -ENOENT;\n> +\n> +\t/* Find images parent node offset */\n> +\tconfs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH);\n> +\tif (confs_noffset < 0) {\n> +\t\tprintf(\"Can't find configurations parent node '%s' (%s)\\n\",\n> +\t\t FIT_IMAGES_PATH, fdt_strerror(confs_noffset));\n> +\t\treturn confs_noffset;\n> +\t}\n> +\n> +\t/* Process all config subnodes, check hashes for each */\n> +\tprintf(\"## Checking signatures for FIT Image at %08lx ...\\n\",\n> +\t (ulong)fit);\n> +\n\nPlease mention in the log output that we are checking conf signatures \nand not image signatures.\n\n> +\tfdt_for_each_subnode(noffset, fit, confs_noffset) {\n> +\t\tint ret;\n> +\n> +\t\tprintf(\"%s ... \", fit_get_name(fit, noffset, NULL));\n\nPlease indent like we have for fit image node verification, with 3 \nleading spaces.\n\n> +\t\tret = fit_config_verify(fit, noffset);\n> +\t\tif (ret) {\n> +\t\t\tr = ret;\n> +\t\t\tcontinue;\n> +\t\t}\n> +\t\t/* at least one correct config */\n> +\t\tif (r == -ENOENT)\n\nWhere is this ENOENT originating from, it's not obvious to me.\n\n> +\t\t\tr = 0;\n\nThis will be overwritten if the last checked config is a fail, so it \nisn't \"at least one correct config\".\n\n> +\t\tputs(\"OK\\n\");\n> +\t}\n> +\n> +\treturn r;\n\nPlease stay consistent with fit_all_image_verify which returns 0 if not \nall images are valid, otherwise 1. Here the logic is inverted and allow \nfor partial verification. The former is an issue, the latter *could* be \nfine if we document it well.\n\n> +}\n> +\n> static int fit_image_uncipher(const void *fit, int image_noffset,\n> \t\t\t void **data, size_t *size)\n> {\n> diff --git a/cmd/bootm.c b/cmd/bootm.c\n> index ca7cec91fad..2faa9648c46 100644\n> --- a/cmd/bootm.c\n> +++ b/cmd/bootm.c\n> @@ -335,6 +335,13 @@ static int image_info(ulong addr)\n> \t\t\treturn 1;\n> \t\t}\n> \n> +\t\tif (CONFIG_IS_ENABLED(FIT_SIGNATURE) &&\n> +\t\t fit_all_configurations_verify(hdr) != 0) {\n> +\t\t\tputs(\"Signature verification failed!\\n\");\n> +\t\t\tunmap_sysmem(hdr);\n> +\t\t\treturn 1;\n> +\t\t}\n> +\n\nAfter patch 4/4, I believe this will now fail if you have a FIT image \nwith only image signatures and no conf signatures (which is valid!).\n\nAlso need tests to make sure this doesn't regress.\n\nCheers,\nQuentin","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=cherry.de header.i=@cherry.de header.a=rsa-sha256\n header.s=selector1 header.b=UXHMUJ/9;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=cherry.de","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=cherry.de header.i=@cherry.de header.b=\"UXHMUJ/9\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=cherry.de","phobos.denx.de;\n spf=pass smtp.mailfrom=quentin.schulz@cherry.de","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=cherry.de;"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g480S4zPrz1yHX\n\tfor ; Tue, 28 Apr 2026 02:19:36 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 6EEA683BC4;\n\tMon, 27 Apr 2026 18:19:32 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 3E2EC84178; Mon, 27 Apr 2026 18:19:31 +0200 (CEST)","from AM0PR83CU005.outbound.protection.outlook.com\n (mail-westeuropeazlp170100001.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c201::1])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 29DE283AA9\n for ; Mon, 27 Apr 2026 18:19:29 +0200 (CEST)","from PA4PR04MB7743.eurprd04.prod.outlook.com (2603:10a6:102:b8::20)\n by AMCPR04MB12672.eurprd04.prod.outlook.com (2603:10a6:20b:76e::18)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.26; Mon, 27 Apr\n 2026 16:19:26 +0000","from PA4PR04MB7743.eurprd04.prod.outlook.com\n ([fe80::9a4e:252f:2fd:97b7]) by PA4PR04MB7743.eurprd04.prod.outlook.com\n ([fe80::9a4e:252f:2fd:97b7%6]) with mapi id 15.20.9846.016; Mon, 27 Apr 2026\n 16:19:26 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=ikUubd0FCmrg6eJ3aBxxBGqXgGAZCkprwE2SH+ACRgRAg8F1nQQ+9sS+5PGuWbNs085LmZxCtv/RX6k68ihJmTvh/GY/04QURxMuZykNJQjn4Ns78OJbGk1MsuhpCqPlwkiBQba32LzGkvevGbs2IvFM93cDe2WkSyHktBITUweLtNu542qFeh4M0XG1EM4ThLza8HIUHkCJ73S3PoSAoIHmlZLG4lpnTRROUeGKlzf1wSeQe0/Q6VC+6NZYZUOfllQ++qpZ4J7lALt3b2eZbyTq4T2WXIDaknNJCgF1/wCZWrNjVxy9DAuAIRCejxDiVR8BGzZf+A1yV2uLlbTsZA==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=ghoZW5VJ7TC/1craH5wzDvGz6uESjnxjbsE+u0Bc+VY=;\n b=hfIP1/Ql5+DtTqwCqwDH06WLBElSVTCrhJ7ZyVu2L6Y8me82KN5OumEeE9kNKDNmRIEnvvO+kmLfgw31geuXuKhKRlCbLcNLG+Ppc7zoBo5joSjPCY5ItXs/BY5zT9yFThhQRIqSmByGPJ/tJ+9Jq6TCesPtyWnHUZQS64Mc8frabcXSLbNwe642R1hgChZcIB17hBCrKZktueQUGTHttkFQ+JV7AcLi9fCq+sV3+ujN0+A3cGAvLXQp1YhUyWyqDylhFlzbHoxZZcRAZpTs2fSr7P2kTZlDQgsbQwBXxesJY5V9UfPUEKFpprnpf8wbpJmj91dyyl29YajLqMFbWg==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=cherry.de; dmarc=pass action=none header.from=cherry.de;\n dkim=pass header.d=cherry.de; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=cherry.de;\n s=selector1;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=ghoZW5VJ7TC/1craH5wzDvGz6uESjnxjbsE+u0Bc+VY=;\n b=UXHMUJ/9VY6zVnc7SjBEj4y8Q3KDFeYJE0ErQeOZ0T5TDVLkGFRIYeYVHhPSiVBtoYl21LvWaErHl671d2lR6HBBj0NsIBbipDYW6yo0hwVj7weTrfQ6EfhWFOKVJdAUbB9HK5uSQ9xFYtUvZXC0sI0btWMnYkUn42vXplXTkmQ=","Message-ID":"<8dc3d041-cafb-4022-833b-64ee9c950d7e@cherry.de>","Date":"Mon, 27 Apr 2026 18:19:24 +0200","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 2/4] iminfo: also verify signatures","To":"Ludwig Nussel , u-boot@lists.denx.de","Cc":"Frank Wunderlich ,\n James Hilliard , Jonas Karlman ,\n Julien Stephan ,\n Marek Vasut ,\n Mayuresh Chitale ,\n Neil Armstrong ,\n Osama Abdelkader ,\n Patrice Chotard , Peng Fan ,\n Shiji Yang , Tom Rini ,\n Wolfgang Wallner , Yao Zi ","References":"<20260427150409.400914-1-ludwig.nussel@siemens.com>\n <20260427150409.400914-2-ludwig.nussel@siemens.com>","Content-Language":"en-US","From":"Quentin Schulz ","In-Reply-To":"<20260427150409.400914-2-ludwig.nussel@siemens.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-ClientProxiedBy":"FR4P281CA0049.DEUP281.PROD.OUTLOOK.COM\n (2603:10a6:d10:cc::13) To PA4PR04MB7743.eurprd04.prod.outlook.com\n (2603:10a6:102:b8::20)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"PA4PR04MB7743:EE_|AMCPR04MB12672:EE_","X-MS-Office365-Filtering-Correlation-Id":"b6b4542d-5b86-4004-6a12-08dea478c04b","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|7416014|1800799024|376014|10070799003|366016|18002099003|22082099003|56012099003;","X-Microsoft-Antispam-Message-Info":"\n f2vwW1kFMK/Fb8ewtcK3u7C2TmaZjN/0Sj2UFVWNdkNTngVzAprnRT3tUy3vsGPapmqN57Mg25Jwh/is1CsNVgkIHQ1Od3IXjp2PrY1tcUU4rq2nddmK0XXJb8r8or4HrAGHPRTSOFcBYL5U+FyEvZjC3bsKE/Ajiaf7M5xgQG4EJzscAfX90xvmUiG0eHkwsKeXnCM7gUetFWq6h9CyX9t/k9BBCy0+aO3ck/Fmkms/Wwxgk+lxpI+c1mP7Bi9Xc/zyKzuBfmUX3pf21N161MmZr5+Z9GeNzzqM1l0aQdxlA4uJ+pbwuUHbmrrs1yVfe4ruiBhCco77yinZC/dewy6yvuMcWemUlv2RnnJ5LOOP8CIbSxY7JruGQASkw90GohOB5vkWXAXAFNut8wgcfQqHDrvTV1sjcb5jPaBRo4lT2eE39DSNdJis6l+ZFKDOSRakAkb/syHM+42bJ7xqQ7ZrCfjHDPV06zYrexPJpUejO4h4Uqal4pxh9RQXt3e8/Q4gHjiVGLUjx7UUuJnl0MJs5n/7uHpMQYtagWjjb9DmADXXEdmfcjb/9GOw4i8WMxOnp3kvQDhjIniSlf/FAjzHP0lgcvLuUDPGopgYP+92U7B8rhS9z0Wp+h55fTlciMF5kvXLKLbkI9NIujrjiSH7WKzTfRmLkKJhqYxptCYIHIHD0voUMbamWaKJLcz48fuyLQc9CwA+mGIbIUK989HgS2jQeKXQTS7QwKymVZk=","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:PA4PR04MB7743.eurprd04.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(7416014)(1800799024)(376014)(10070799003)(366016)(18002099003)(22082099003)(56012099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"=?utf-8?q?r3/kGJAPXe7WOLn5uqV8J8doGwZD?=\n\t=?utf-8?q?YNA0s/CMmvDC5nynlAuLud5crvlbGWJaeU9BCq1kMzmpaH3umE3Lp++6werxNmH75?=\n\t=?utf-8?q?5FDOstRzTrqAMS9wXwE9nCc8mWzQaCEI9/I3e4/eP61T+lH9xjW4LSMXNN3MJk/zA?=\n\t=?utf-8?q?mLw24F3Cbe9NBusYnReIUMxUfUoMZxypIb1DlqJIo+0Q0f5RGFwZVwBP+XXXgNnOc?=\n\t=?utf-8?q?U3cOy8LVM9euGt30aTrO0qtfXsBvmSj0tvjIF1vtU8z8exuO4tAq0HXThnJY3KR3f?=\n\t=?utf-8?q?wfv3EMIsI02K052wpz3CQUsE9VI+vLFl0Ey1SW7pPAX5CrcJBYFtBQirVCWnBOZH2?=\n\t=?utf-8?q?tJ4yqAGUFq2m+cjmmwytX9spZGtMSDtfc4N7pSe1xhiASetphR8q/1BaxJTTQk8xb?=\n\t=?utf-8?q?l2pZNWKN7THEWYh8x05RB/SAIjiju5Dw7pAdcXoKK/VvFjwb/7AhNIWd4wIHz7N9g?=\n\t=?utf-8?q?Liy2CDGF1rUofY7QCiOrtZun/LnzqPOpfwxiHoJCUX1XsdW8EZTyqQDZrWVoXQ8lR?=\n\t=?utf-8?q?tXOGdcX/s2f9wJ8QIjyitOTaM0tMQ2wwWLX2orX+6d2/rsqDl7pt+DPdQOh6ITicu?=\n\t=?utf-8?q?Y95yD6AeuuYGFEgzw5EDI2x/Rni3aak3xU2p1RZFyYJddGQ72nrroQ1vCPryrC/Ec?=\n\t=?utf-8?q?pRgpG/BghvVPPu/hNVY7yYIituwPHWal0J+BLR9J9yXw95rkCyQK5bAzj+1U5xFSO?=\n\t=?utf-8?q?XHUPTVYukRxzEGueuoPoJaEIxxt9hZ40W9nlmqygxBFpp+jt7SNnaMcdZD28K5f8U?=\n\t=?utf-8?q?TrIaeYrfAVO8xoWWK0HA2DlGAhVla3ybtezhO0yCirjNL+EGWJWvtlWOYBF0Xtr31?=\n\t=?utf-8?q?qOUbsl5JCMl1oW+QAHEzpAJruFJp2PVRSe/EMALbCYURJHnLKLgjqLP6u61iLUE0h?=\n\t=?utf-8?q?lRc/7SXkG3XqOZmcapxrVg6Fyzk6GTeTs5r1K+UYPieT71Ct1qfW3+L4g2IRrfQzF?=\n\t=?utf-8?q?2IxBW1LJ/v4uz89ZCgfuCLN1Y8A6+MtfhAD4+psxHL9snM/GPZw05RGbvdxKhv3V1?=\n\t=?utf-8?q?EY01ryLjLFbYksGZdoIgCCajpnBx0PtME7qjH1ADM///8IQyKp95Pf/3IjbCTvQUz?=\n\t=?utf-8?q?LPMnhJRHusIS9AMz7xOBLd52sJTZJ330IP8ApeK6JnMiJt7kpqczntr0cA7GgcptO?=\n\t=?utf-8?q?eSmKhdiV8AWTvtTLi1Ri+IQBjjB2m/s4m7TgExjz8Xgp4FnUbGhcx4USFEAuanf03?=\n\t=?utf-8?q?h9Yk83EVONJmwKVmx8a162MkfPamaOGtdWDUrzaeepr/rbtiEkbFtSZpo+IlK6/mW?=\n\t=?utf-8?q?+redcvhnt1UfBhiKnu8ZK3ZlKMGAqNacac7l2ZNDCBFBizinqmj/1vfTpno7Jk1JX?=\n\t=?utf-8?q?W8CbkQZ38aHJ4CTpgrWrvraIsAS1SrG2tnOhqdFnZf951swOjO4PfsI2opMq5P2xG?=\n\t=?utf-8?q?vZylRvH9c9q3fU1K6HFR8+gEH21FUjnXE1uBz2Uy3sZpvEYQgrZmq2s79GEuPu6wr?=\n\t=?utf-8?q?Q7HnsvICOIF0qX1v8YVsm+eQyhNJKVjw/X+O75Fs3ztXXjkbahQkzjMcP71F0lp41?=\n\t=?utf-8?q?F5oNrBvW+fKxsAELwHxhfhRfyNFZHAhFuDgkvxLcmS4l4GP41u3PZoMWaWd0ruvfP?=\n\t=?utf-8?q?unUmi8L/VQEyc2eFOWPjnRVFR40FrF9u51T/SKP4Atzp8Dt/RGfWbB+I09KIfzijH?=\n\t=?utf-8?q?0P2IachGiH4FQEfU6ukaW5UzlLi2K+Uv7aPRYhvWN29sRt9LYtcIfw6dsnLm1ToGc?=\n\t=?utf-8?q?krAcunzuG?=","X-OriginatorOrg":"cherry.de","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n b6b4542d-5b86-4004-6a12-08dea478c04b","X-MS-Exchange-CrossTenant-AuthSource":"PA4PR04MB7743.eurprd04.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"27 Apr 2026 16:19:26.3723 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"5e0e1b52-21b5-4e7b-83bb-514ec460677e","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n 0Y1tJLD1gYp2LgqsB67sdy7iPomxPhrdXG4LFCf8rUAvQl9glKI9QVDG+WNvgYglKWnY8gi6hQVjij0OfQVB/fytkJpVJxvA/UY2BDsDSn8=","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"AMCPR04MB12672","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3683226,"web_url":"http://patchwork.ozlabs.org/comment/3683226/","msgid":"","list_archive_url":null,"date":"2026-04-28T08:13:52","subject":"Re: [PATCH 2/4] iminfo: also verify signatures","submitter":{"id":90265,"url":"http://patchwork.ozlabs.org/api/people/90265/","name":"Ludwig Nussel","email":"ludwig.nussel@siemens.com"},"content":"On 4/27/26 18:19, Quentin Schulz wrote:\n> On 4/27/26 5:03 PM, Ludwig Nussel wrote:\n>> The iminfo command already verifies hashes of images. This change also\n>> verifies signatures of configurations if enabled.\n>>\n>> Signed-off-by: Ludwig Nussel \n>> ---\n>>\n>>   boot/image-fit.c | 36 ++++++++++++++++++++++++++++++++++++\n>>   cmd/bootm.c      |  7 +++++++\n>>   include/image.h  |  1 +\n>>   3 files changed, 44 insertions(+)\n>>\n>> diff --git a/boot/image-fit.c b/boot/image-fit.c\n>> index 2d2709aa5b1..b2c6db79edb 100644\n>> --- a/boot/image-fit.c\n>> +++ b/boot/image-fit.c\n>> @@ -1512,6 +1512,42 @@ int fit_all_image_verify(const void *fit)\n>>       return 1;\n>>   }\n>> +int fit_all_configurations_verify(const void *fit)\n>> +{\n> \n> Please document this function. It's clearly surprising to me that the \n> function successfully return if at least one conf node could be verified.\n\nRight. Will add documentation. The function actually succeeds if all \nconfigurations have at least one valid signature according to \nfit_config_verify_required_keys().\n > Please indent like we have for fit image node verification, with 3\n> leading spaces.\n> \n>> +        ret = fit_config_verify(fit, noffset);\n>> +        if (ret) {\n>> +            r = ret;\n>> +            continue;\n>> +        }\n>> +        /* at least one correct config */\n>> +        if (r == -ENOENT)\n> \n> Where is this ENOENT originating from, it's not obvious to me.\n\nr is initialized with -ENOENT. As long as it has this setting there was \nno failed signature.\n\n>> +            r = 0;\n> \n> This will be overwritten if the last checked config is a fail, so it \n> isn't \"at least one correct config\".\n> \n>> +        puts(\"OK\\n\");\n>> +    }\n>> +\n>> +    return r;\n> \n> Please stay consistent with fit_all_image_verify which returns 0 if not \n> all images are valid, otherwise 1. Here the logic is inverted and allow \n> for partial verification. The former is an issue, the latter *could* be \n> fine if we document it well.\n\nRight, U-Boot in general seems to mix styles. I made this consistent \nwith fit_config_verify() which it uses.\n\n>> +}\n>> +\n>>   static int fit_image_uncipher(const void *fit, int image_noffset,\n>>                     void **data, size_t *size)\n>>   {\n>> diff --git a/cmd/bootm.c b/cmd/bootm.c\n>> index ca7cec91fad..2faa9648c46 100644\n>> --- a/cmd/bootm.c\n>> +++ b/cmd/bootm.c\n>> @@ -335,6 +335,13 @@ static int image_info(ulong addr)\n>>               return 1;\n>>           }\n>> +        if (CONFIG_IS_ENABLED(FIT_SIGNATURE) &&\n>> +            fit_all_configurations_verify(hdr) != 0) {\n>> +            puts(\"Signature verification failed!\\n\");\n>> +            unmap_sysmem(hdr);\n>> +            return 1;\n>> +        }\n>> +\n> \n> After patch 4/4, I believe this will now fail if you have a FIT image \n> with only image signatures and no conf signatures (which is valid!).\n\nIndeed. If the image signing is still a thing to support, would it make \nsense to introduce an option to enforce config signatures?\n\ncu\nLudwig","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=siemens.com header.i=@siemens.com header.a=rsa-sha256\n header.s=selector2 header.b=DCl9SqlN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=siemens.com header.i=@siemens.com header.b=\"DCl9SqlN\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=ludwig.nussel@siemens.com","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=siemens.com;"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4Y9s5pJgz1xvV\n\tfor ; Tue, 28 Apr 2026 18:14:09 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id BA0E084255;\n\tTue, 28 Apr 2026 10:14:01 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id C093184255; Tue, 28 Apr 2026 10:13:59 +0200 (CEST)","from PA4PR04CU001.outbound.protection.outlook.com\n (mail-francecentralazlp170130007.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c20a::7])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 87F0D803C6\n for ; Tue, 28 Apr 2026 10:13:56 +0200 (CEST)","from DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:2cc::12)\n by AM7PR10MB3891.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:178::12)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.25; Tue, 28 Apr\n 2026 08:13:54 +0000","from DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM\n ([fe80::97ce:ff62:c0b8:4ed1]) by DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM\n ([fe80::97ce:ff62:c0b8:4ed1%7]) with mapi id 15.20.9846.025; Tue, 28 Apr 2026\n 08:13:54 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.9 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_NONE autolearn=ham\n autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=gDHLPfUj/7hF041Wd1C8ua/DZm8pe49FQN6b7r9QtcohdV0nsUW5+CBjuDXZfC4iC4BGHEKO0ejjSpe7J9KOBf25j2x3Z6WgFnLspiYs8X2GAHuFj5ev26smDu/VC6yixxFlg5QWJmtLYOUmlX2L2wYD50gL6uoNvQqyqkJmIGb9dRFPqicmFVAegvBIWWm+ztFSaLdMKDaep2ro21Mov7qXKOfDNosmHx7yafQLBljKrZVRkrc8ffAUppUO2tIiCp+Tx020UnOBlW925AiSCqEd8FblT+TGnDN3mxraFPScmW1bg+wajXy+4D4QO+NWN2d8Alqs4IUzrVfIx6Pc8Q==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=kpa/LTRK+AsC/nBwlnm8gqY+j9Rj7ujba9x1owotANc=;\n b=HWO9GB86kuPIesr8KmoNdWsVat3UPKCFJyO/oPYePP7Nh1Ru/wMuEmmNBSnyn9jAR4roHymKBeRWyLantvmGJCDMGt138ease+AAXonZ/ihZ+FN4qM1VrQ6KTy0C16sK00B+9jRiJ19m5emecLwH62dvjzTKf+Y6S02ZC4iRhhYF9w6KUK/tIAM+f1gi522X3h7kgqW9bitSaYXRuJsXZrSkJDlOQjFif7cToFolmoSDxE4NK7UtyiZyDZEgPfhM3MdSETniifQsS3XVe98HFSQQMaQeIgPBK5QnxeHae0lDoxQDApdHYVlMDEkGlD8C5TQm+XX9hbOHRfQikItsZw==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com;\n dkim=pass header.d=siemens.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;\n s=selector2;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=kpa/LTRK+AsC/nBwlnm8gqY+j9Rj7ujba9x1owotANc=;\n b=DCl9SqlNQRetgac+N/ZG+8OYv7H9Lx9rOptS2J45fbezgNMhDX+LQ/UIyMzugCnK5xtmviO+k/OXjjNmr1BY0HFQkgw0sTUOnq1yHtzhVGi44gDFWPwrk6zDRme+36hwwKAWec4QIH0hMnOdaYCltsXyD4fE959Zv+18UPZkUAq7uaU88hzKV0VTwW6hPqLbftOCcrrm88LWBOELQq+KJpNH7vFEx+bwGt1EyGQM0aEU/NvHkkJpRlPEvvr/xMrXV/Vp1K8H+Vdw2W/xuD8Qig9KB/OMyp5mNB79RcNkgRE5zCxU1v5YjgB7fyxgpm1Gankp5+/V+/jaRq61+ntdYw==","Message-ID":"","Date":"Tue, 28 Apr 2026 10:13:52 +0200","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 2/4] iminfo: also verify signatures","To":"Quentin Schulz , u-boot@lists.denx.de","Cc":"Frank Wunderlich ,\n James Hilliard , Jonas Karlman ,\n Julien Stephan ,\n Marek Vasut ,\n Mayuresh Chitale ,\n Neil Armstrong ,\n Osama Abdelkader ,\n Patrice Chotard , Peng Fan ,\n Shiji Yang , Tom Rini ,\n Wolfgang Wallner , Yao Zi ","References":"<20260427150409.400914-1-ludwig.nussel@siemens.com>\n <20260427150409.400914-2-ludwig.nussel@siemens.com>\n <8dc3d041-cafb-4022-833b-64ee9c950d7e@cherry.de>","Content-Language":"en-US","From":"Ludwig Nussel ","In-Reply-To":"<8dc3d041-cafb-4022-833b-64ee9c950d7e@cherry.de>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"8bit","X-ClientProxiedBy":"FR4P281CA0238.DEUP281.PROD.OUTLOOK.COM\n (2603:10a6:d10:e9::17) To DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM\n (2603:10a6:10:2cc::12)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"DB9PR10MB5019:EE_|AM7PR10MB3891:EE_","X-MS-Office365-Filtering-Correlation-Id":"7d424384-8b80-4f62-32fa-08dea4fe1695","X-MS-Exchange-AtpMessageProperties":"SA","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|7416014|376014|366016|1800799024|22082099003|18002099003|56012099003|55112099003;","X-Microsoft-Antispam-Message-Info":"\n S8O/MV3GvRPGH+nj2OwMV3ymTTem4pjRb4BQ28QMaalxVgvH9Cjk1AugvNYHdQ+xXCTOuTCW6hAMU4ACoXSD84RPj0iNmZPq5dGZFcDjRZUadULNZbv8R2+rUyidUoNFASOu+F1j21O3PQXpv3l+7Usx5Nox01pNfF8FxRsiFLyfZZZcFqqPmOkDf8GAPlo89iiyWbbVe0hSkVQxG2MCeiu1YprVbgIkwnwcKtYjwOZfvn0A33lPVleVwHAqeXGU9MwfrOs9tO3AX7YC+/nD6pysqTBTO/s2SGalzcLKrwSjP1Kn+1LSUXEpdDNK4VUrwsYRdDVhSeUsb9MLKm7blG7sT7nYs+WOIBN4/hoy3LhPwFKpY5bBuoywj84vUvWmUB7kF6OFNMwApZfayTRPYgsYjSt3rvyiy51x0LGsmxD0w0v/MKI2qj2Nw8nmon8Va2NbwZD5WqRFNcR7HmM/E1yHzXoEOoZV3gmadvWSpLE3UulQ4I0tPX+gCuJ+3KcezYnD5ZJtB2MSoLkRNJGOeIPBiGEy6o+5NW1YEdxeAHhnWp1/Nkd5wE4ILVoD2jnWt7vTRt8yZPWVKLfsGJdw+5hJoSpBp/w0iuwUP9rU2nKH2SQEcC02BDPPe0fpgbXtw0J4ysColJ+6Q0AgQR0ecQw8VqTUv1JG6ImpMatbcn/GDdwUnbEEEt2WooNmYVQs","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE;\n SFS:(13230040)(7416014)(376014)(366016)(1800799024)(22082099003)(18002099003)(56012099003)(55112099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"=?utf-8?q?YpO4VJjJqh4WtJBMgCmLywn2+MNj?=\n\t=?utf-8?q?Z5wSqSVEQXTJHeBvuo1+g9cyTHzc6XWlnz+hBQEDwP4X66QGZKE1LVYV0ffhtEsCT?=\n\t=?utf-8?q?DzeLSzY8Fc1jZB4TrGXxnHE41xurfPh1Mn7aMArjGuKNHJAGeKqqmX/rV23Ryq4+r?=\n\t=?utf-8?q?krSN0KjlMc17V06MaiEATH0sLOS4dpjBCOjEw9DEWeYEF8R1PpvOzM6XqqqvLLgZg?=\n\t=?utf-8?q?ZfRZpLg89OdzYUDbX4oGRPRZRHn+/xp5EPk1cmY+SN9KbBcD3F3J9gtgvuvrJBgkv?=\n\t=?utf-8?q?TjQxo1d+yyinJdBazcZkwmXKkC4vQeDRXURWV6Cjv/RF9rcEeLAD/YAHS1IK1GcoH?=\n\t=?utf-8?q?NEFB1XZDN0XADnIdXeI83bE75S+B5e/ID6hDZ8fxmG2GNAhTdQRdJ8f1PMMQuL2bS?=\n\t=?utf-8?q?rSAkgKotSr8z2R19osWUQczjo+0/Z914MjXNK1krMYxZ0NEpNYpr4HSDNakR3Ql/s?=\n\t=?utf-8?q?bNtHJ1qO11x+W0IpU9ICMan4Fa0aeIlp0pmHewgiS9e/pxBs+zYnLHeY+6UcnB6zc?=\n\t=?utf-8?q?PJNeL2roQG1TSB8uWsAnvZNrC4e/GM+UDJm1v0PCW12ICWtmI43JC6OQVHkIlkafe?=\n\t=?utf-8?q?MfZTAo8GuqmSJOoT544OtJbi3RpeCq4JMsP5YdpxocMhXz7J7kM4Zb5CtTLCpoFkK?=\n\t=?utf-8?q?ZsFnf0hMSzy4llThzSiymUGUkK8TsRYuGycUpg7W1qGDjvrAzmMkjj0liMO1EOoma?=\n\t=?utf-8?q?NsEgaPN3lNfWfh4sXrQFAxk3EK+MWWx/kKsjspkUiEufsJnSL+DxcGnVQMUjt0gD1?=\n\t=?utf-8?q?fKnaRVOIFfP62iArS2FTN1AlL7pfHSvn2LjIwXYZ1jp7Qh2L554vnS6qZcLt8G5Vu?=\n\t=?utf-8?q?5R4AIByaXrUI12fd2NmgQ4CumbBmvDid0bJw3gl7j8VYFCjmUGp986s2HJUc/35M8?=\n\t=?utf-8?q?SXqHxOc9KLsOpkCaeg0+Bdm6DwN1/ArwoZ0WJkslrk3vZKSig7Y1bYAelHQUCJ5q6?=\n\t=?utf-8?q?qhuHYdJrcuHimTZPCTPmjqQHX8GcVcl/EXBk99vgJ8aKENMfKACDhrqLgSJJGIUAi?=\n\t=?utf-8?q?yX3FwSkaZzN2jofO207s+JSUZ24JAOfWcU2o1iSjdVrxgVN53rcsyDoIp9WvfcLCF?=\n\t=?utf-8?q?7dP7dGetzW2aAdkEe562tavG2w/OjMW7PL675Wvti0A9uclq7DG5LPTsASTrxMMZC?=\n\t=?utf-8?q?ur1iyg6YhUlrH4Qypxlrhnwyx8w3PCWxiUZ+kCBMRZYQSk8hFV2omiWgZOJb8h7G8?=\n\t=?utf-8?q?/7REfetPH/qKLDiJv/S0/o1uqAHz8ebSwApXwmG51iSiDIU8/Du9tXBLM7u/NH+BJ?=\n\t=?utf-8?q?C1gPjxkP+YX5r4AB7ldqbMTcmGiLAlicRqllwAYbVj+0q22kC5NaBnW9oWe+xRLTR?=\n\t=?utf-8?q?Xlwr9sc2/o/JFGJwD2TgZAo8uaw9idg3ZeDXeOjk8CrOHUZAU5CIfw2LhrI/CPoVM?=\n\t=?utf-8?q?Ka845GNZ6ylKrCkX7Tn1mcCmCi7rmYZXkJlJhT05Qs9QGZI0V8xnDdhICoCLAXI7J?=\n\t=?utf-8?q?tJxULepa8CjPaPR07hEoyn4tvjIULF1IT9nx40M6ffZrXfrKZKwXw/HyLuGa6eQlq?=\n\t=?utf-8?q?fb1oHtCuSzEml95WNtnHUYNqYy4FPcSEuEYNqbkbqlsKJNmo0n6r1MuhWT2uorSdv?=\n\t=?utf-8?q?KCcGwq24d2KaUTtJlvXup1gQr/oU1vb8dMJtgElCl3ZLY/SVse4Jl1xeJ4refeV2k?=\n\t=?utf-8?q?BJ7BBIE9SyKfQTuoRyyIronb0jZplebzZRsfka9ro/zjDzYhxKmik=3D?=","X-OriginatorOrg":"siemens.com","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n 7d424384-8b80-4f62-32fa-08dea4fe1695","X-MS-Exchange-CrossTenant-AuthSource":"DB9PR10MB5019.EURPRD10.PROD.OUTLOOK.COM","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"28 Apr 2026 08:13:54.1976 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"38ae3bcd-9579-4fd4-adda-b42e1495d55a","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n UZnOdNx32XJo9RmUx1Du3HKbVrr3Lq5gtf33qBqgFi+2BQL9tDX4RWpCQaZm9LxQKUhp7EdCK8Jarhq8HDDoXJCRvXEfo1g9l3aSXkET8jU=","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"AM7PR10MB3891","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]