{"id":2223705,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2223705/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/9ceb70fcad4dec6efae1b03297f38665926b6c9f.1776302806.git.daniel@makrotopia.org/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<9ceb70fcad4dec6efae1b03297f38665926b6c9f.1776302806.git.daniel@makrotopia.org>","date":"2026-04-16T01:47:11","name":"[v2,7/7] test: py: add mkimage dm-verity round-trip test","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"7fe2e495a20567086122aa01607db5993919856c","submitter":{"id":64091,"url":"http://patchwork.ozlabs.org/api/1.1/people/64091/?format=json","name":"Daniel Golle","email":"daniel@makrotopia.org"},"delegate":{"id":3651,"url":"http://patchwork.ozlabs.org/api/1.1/users/3651/?format=json","username":"trini","first_name":"Tom","last_name":"Rini","email":"trini@ti.com"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/9ceb70fcad4dec6efae1b03297f38665926b6c9f.1776302806.git.daniel@makrotopia.org/mbox/","series":[{"id":500065,"url":"http://patchwork.ozlabs.org/api/1.1/series/500065/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=500065","date":"2026-04-16T01:46:15","name":"fit: dm-verity support","version":2,"mbox":"http://patchwork.ozlabs.org/series/500065/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223705/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223705/checks/","tags":{},"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=makrotopia.org","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de; dmarc=none (p=none dis=none)\n header.from=makrotopia.org","phobos.denx.de;\n spf=pass smtp.mailfrom=daniel@makrotopia.org"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx19p1Hgmz1yG9\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 11:47:58 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 21FC984119;\n\tThu, 16 Apr 2026 03:47:32 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id BBA1484228; Thu, 16 Apr 2026 03:47:30 +0200 (CEST)","from pidgin.makrotopia.org (pidgin.makrotopia.org\n [IPv6:2a07:2ec0:3002::65])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 0AE328423F\n for <u-boot@lists.denx.de>; Thu, 16 Apr 2026 03:47:27 +0200 (CEST)","from local\n by pidgin.makrotopia.org with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256)\n (Exim 4.99) (envelope-from <daniel@makrotopia.org>)\n id 1wDBp4-000000006hE-1aVW; Thu, 16 Apr 2026 01:47:14 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-1.9 required=5.0 tests=BAYES_00,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","Date":"Thu, 16 Apr 2026 02:47:11 +0100","From":"Daniel Golle <daniel@makrotopia.org>","To":"Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,\n Quentin Schulz <quentin.schulz@cherry.de>,\n Kory Maincent <kory.maincent@bootlin.com>,\n Mattijs Korpershoek <mkorpershoek@kernel.org>, Peng Fan <peng.fan@nxp.com>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>,\n Martin Schwan <m.schwan@phytec.de>,\n Daniel Golle <daniel@makrotopia.org>, Anshul Dalal <anshuld@ti.com>,\n Ilias Apalodimas <ilias.apalodimas@linaro.org>,\n Sughosh Ganu <sughosh.ganu@arm.com>,\n Aristo Chen <jj251510319013@gmail.com>,\n Ludwig Nussel <ludwig.nussel@siemens.com>,\n Benjamin ROBIN <dev@benjarobin.fr>,\n Marek Vasut <marek.vasut+renesas@mailbox.org>,\n James Hilliard <james.hilliard1@gmail.com>,\n Wolfgang Wallner <wolfgang.wallner@at.abb.com>,\n Kunihiko Hayashi <hayashi.kunihiko@socionext.com>,\n David Lechner <dlechner@baylibre.com>,\n Neil Armstrong <neil.armstrong@linaro.org>,\n Mayuresh Chitale <mchitale@ventanamicro.com>,\n Jonas Karlman <jonas@kwiboo.se>, Shiji Yang <yangshiji66@outlook.com>,\n Rasmus Villemoes <ravi@prevas.dk>,\n Francois Berder <fberder@outlook.fr>, u-boot@lists.denx.de","Subject":"[PATCH v2 7/7] test: py: add mkimage dm-verity round-trip test","Message-ID":"\n <9ceb70fcad4dec6efae1b03297f38665926b6c9f.1776302806.git.daniel@makrotopia.org>","References":"<cover.1776302805.git.daniel@makrotopia.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<cover.1776302805.git.daniel@makrotopia.org>","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Add test/py/tests/test_fit_verity.py with two tests.\n\nBoth tests are skipped if veritysetup is not installed on the host.\n\nSigned-off-by: Daniel Golle <daniel@makrotopia.org>\n---\nv2: new patch\n\n test/py/tests/test_fit_verity.py | 153 +++++++++++++++++++++++++++++++\n 1 file changed, 153 insertions(+)\n create mode 100644 test/py/tests/test_fit_verity.py","diff":"diff --git a/test/py/tests/test_fit_verity.py b/test/py/tests/test_fit_verity.py\nnew file mode 100644\nindex 00000000000..670232995cc\n--- /dev/null\n+++ b/test/py/tests/test_fit_verity.py\n@@ -0,0 +1,153 @@\n+# SPDX-License-Identifier: GPL-2.0+\n+#\n+# Copyright 2026 Daniel Golle <daniel@makrotopia.org>\n+\n+\"\"\"\n+Test mkimage dm-verity Merkle-tree generation\n+\n+Build a minimal .its with a dm-verity subnode (user-provided properties only),\n+run mkimage -E, and verify that the computed properties (digest, salt,\n+num-data-blocks, hash-start-block) are written into the resulting FIT.\n+\n+This test does not run the sandbox.  It only exercises the host tool 'mkimage'.\n+Requires 'veritysetup' from the cryptsetup package on the build host.\n+\"\"\"\n+\n+import os\n+import shutil\n+import pytest\n+import struct\n+import utils\n+\n+ITS_TEMPLATE = \"\"\"\\\n+/dts-v1/;\n+\n+/ {\n+    description = \"dm-verity test\";\n+    #address-cells = <1>;\n+\n+    images {\n+        rootfs {\n+            description = \"test filesystem\";\n+            data = /incbin/(\"./rootfs.bin\");\n+            type = \"filesystem\";\n+            arch = \"sandbox\";\n+            compression = \"none\";\n+\n+            dm-verity {\n+                algo = \"sha256\";\n+                data-block-size = <4096>;\n+                hash-block-size = <4096>;\n+            };\n+        };\n+    };\n+\n+    configurations {\n+        default = \"conf-1\";\n+        conf-1 {\n+            description = \"test config\";\n+            loadables = \"rootfs\";\n+        };\n+    };\n+};\n+\"\"\"\n+\n+def have_veritysetup():\n+    return shutil.which('veritysetup') is not None\n+\n+\n+@pytest.mark.requiredtool('dtc')\n+@pytest.mark.requiredtool('fdtget')\n+@pytest.mark.skipif(not have_veritysetup(),\n+                    reason='veritysetup not installed')\n+def test_mkimage_verity(ubman):\n+    \"\"\"Test that mkimage computes dm-verity properties correctly.\"\"\"\n+\n+    mkimage = ubman.config.build_dir + '/tools/mkimage'\n+    tempdir = os.path.join(ubman.config.result_dir, 'verity')\n+    os.makedirs(tempdir, exist_ok=True)\n+\n+    rootfs_file = os.path.join(tempdir, 'rootfs.bin')\n+    its_file = os.path.join(tempdir, 'image.its')\n+    fit_file = os.path.join(tempdir, 'image.itb')\n+\n+    # Create a dummy filesystem image: 64 x 4096-byte blocks of 0xa5\n+    block_size = 4096\n+    num_blocks = 64\n+    with open(rootfs_file, 'wb') as f:\n+        f.write(bytes([0xa5]) * block_size * num_blocks)\n+\n+    with open(its_file, 'w') as f:\n+        f.write(ITS_TEMPLATE)\n+\n+    # Build the FIT with external data (required for dm-verity)\n+    dtc_args = f'-I dts -O dtb -i {tempdir}'\n+    utils.run_and_log(ubman,\n+                      [mkimage, '-E', '-D', dtc_args, '-f', its_file, fit_file])\n+\n+    # Helper to read FIT properties via fdtget\n+    def fdt_get(node, prop):\n+        val = utils.run_and_log(\n+            ubman, f'fdtget {fit_file} {node} {prop}')\n+        return val.strip()\n+\n+    def fdt_get_hex(node, prop):\n+        \"\"\"Read a byte-array property as hex string.\"\"\"\n+        val = utils.run_and_log(\n+            ubman, f'fdtget -tbx {fit_file} {node} {prop}')\n+        return ''.join(b.zfill(2) for b in val.strip().split())\n+\n+    verity_path = '/images/rootfs/dm-verity'\n+\n+    # Verify mkimage filled in the computed properties\n+    algo = fdt_get(verity_path, 'algo')\n+    assert algo == 'sha256', f'algo mismatch: {algo}'\n+\n+    dbs = int(fdt_get(verity_path, 'data-block-size'))\n+    assert dbs == block_size, f'data-block-size mismatch: {dbs}'\n+\n+    hbs = int(fdt_get(verity_path, 'hash-block-size'))\n+    assert hbs == block_size, f'hash-block-size mismatch: {hbs}'\n+\n+    nblk = int(fdt_get(verity_path, 'num-data-blocks'))\n+    assert nblk == num_blocks, f'num-data-blocks mismatch: {nblk} != {num_blocks}'\n+\n+    hblk = int(fdt_get(verity_path, 'hash-start-block'))\n+    # With --no-superblock, hash-start-block == num-data-blocks\n+    assert hblk == num_blocks, f'hash-start-block mismatch: {hblk} != {num_blocks}'\n+\n+    # digest and salt should be non-empty hex strings (sha256 = 32 bytes = 64 hex chars)\n+    digest = fdt_get_hex(verity_path, 'digest')\n+    assert len(digest) == 64, f'digest length mismatch: {len(digest)} (expected 64)'\n+    # Should not be all zeros\n+    assert digest != '0' * 64, 'digest is all zeros'\n+\n+    salt = fdt_get_hex(verity_path, 'salt')\n+    assert len(salt) == 64, f'salt length mismatch: {len(salt)} (expected 64)'\n+\n+\n+@pytest.mark.requiredtool('dtc')\n+@pytest.mark.skipif(not have_veritysetup(),\n+                    reason='veritysetup not installed')\n+def test_mkimage_verity_requires_external(ubman):\n+    \"\"\"Test that mkimage rejects dm-verity without -E flag.\"\"\"\n+\n+    mkimage = ubman.config.build_dir + '/tools/mkimage'\n+    tempdir = os.path.join(ubman.config.result_dir, 'verity_no_ext')\n+    os.makedirs(tempdir, exist_ok=True)\n+\n+    rootfs_file = os.path.join(tempdir, 'rootfs.bin')\n+    its_file = os.path.join(tempdir, 'image.its')\n+    fit_file = os.path.join(tempdir, 'image.itb')\n+\n+    with open(rootfs_file, 'wb') as f:\n+        f.write(bytes([0xa5]) * 4096 * 8)\n+\n+    with open(its_file, 'w') as f:\n+        f.write(ITS_TEMPLATE)\n+\n+    # Without -E, mkimage should fail for dm-verity images\n+    dtc_args = f'-I dts -O dtb -i {tempdir}'\n+    with pytest.raises(Exception):\n+        utils.run_and_log(ubman,\n+                          [mkimage, '-D', dtc_args, '-f', its_file, fit_file])\n","prefixes":["v2","7/7"]}