{"id":2219507,"url":"http://patchwork.ozlabs.org/api/patches/2219507/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260403073251.1051533-1-paul.henrys_ext@softathome.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260403073251.1051533-1-paul.henrys_ext@softathome.com>","list_archive_url":null,"date":"2026-04-03T07:32:49","name":"[v3,1/3] tools: binman: Test signing an encrypted FIT with a preload header","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"bd20e58470fee7eab643c1abc80b17ac5f8e17d8","submitter":{"id":83555,"url":"http://patchwork.ozlabs.org/api/people/83555/?format=json","name":"Paul HENRYS","email":"paul.henrys_ext@softathome.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260403073251.1051533-1-paul.henrys_ext@softathome.com/mbox/","series":[{"id":498597,"url":"http://patchwork.ozlabs.org/api/series/498597/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=498597","date":"2026-04-03T07:32:49","name":"[v3,1/3] tools: binman: Test signing an encrypted FIT with a preload header","version":3,"mbox":"http://patchwork.ozlabs.org/series/498597/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2219507/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219507/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com\n header.a=rsa-sha256 header.s=selector1-softathome1-onmicrosoft-com\n header.b=nbaju0Qd;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=none (p=none dis=none) header.from=softathome.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com\n header.b=\"nbaju0Qd\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=none (p=none dis=none)\n header.from=softathome.com","phobos.denx.de;\n spf=pass smtp.mailfrom=paul.henrys_ext@softathome.com"],"Received":["from phobos.denx.de (unknown\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fn9Sy2ZVDz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 18:33:54 +1100 (AEDT)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 656DF8407E;\n\tFri,  3 Apr 2026 09:33:41 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id F17AA8382A; Fri,  3 Apr 2026 09:33:39 +0200 (CEST)","from PR0P264CU014.outbound.protection.outlook.com\n (mail-francecentralazlp170120004.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c20a::4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id EB6AA8382A\n for <u-boot+nodisclaimer@lists.denx.de>;\n Fri,  3 Apr 2026 09:33:37 +0200 (CEST)","from PA7P264CA0007.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:2d3::11)\n by PARP264MB4529.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:42e::7) with\n Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.20; Fri, 3 Apr\n 2026 07:33:35 +0000","from PA2PEPF00019232.FRAP264.PROD.OUTLOOK.COM\n (2603:10a6:102:2d3:cafe::2) by PA7P264CA0007.outlook.office365.com\n (2603:10a6:102:2d3::11) with Microsoft SMTP Server (version=TLS1_3,\n cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.21 via Frontend Transport; Fri,\n 3 Apr 2026 07:33:35 +0000","from proxy.softathome.com (149.6.166.170) by\n PA2PEPF00019232.mail.protection.outlook.com (10.167.242.38) with Microsoft\n SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.17\n via Frontend Transport; Fri, 3 Apr 2026 07:33:35 +0000","from sah2lpt245.. (unknown [192.168.72.220])\n by proxy.softathome.com (Postfix) with ESMTPSA id 95A282018F;\n Fri,  3 Apr 2026 09:33:34 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=0.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS,\n SUSPICIOUS_RECIPS autolearn=no autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=wNozeYs3lzwbkj5MJqaen65jwq0Rst3F4tHVk/fMxLT91mGe0lyGSOCoNs1ZsI28YkY4UvG6vSjjowvJDAsDPVlBJJJBoDIRvsxdzePP7CJ0u4Nzh7G/zK2HaIfNfQH2KMnrFwuPVn1Dv4SLL1cOzRYEMWs+csmmUDwyh9z6GxDLSKvxP2d8E+e0mvU0mn3nSkRfPj4a8R1jHJpGLKjt+OZ5qztRoOeqfABf3qeSZBqzo+ho+2u9et5lk5oPaHfzA8l59Z4WiV9q138dnT0chfLNrgwKR+P9lwe/6zxT7+idWPuoU9Edw8X+OaQQv0E52+kYdwFBJl8idbZpaUeLSQ==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=QjKHR9fWn8V8LabvbbqGetYQDv/vA3oaKK/vfkFQsEU=;\n b=UuHnwLITdJ15SKA1bjNWn4Z26XzReqs2foo6/fAma5u4YQz/tPDyCBvT85UzzeyDo94kUjDew2+G9fTofV/auAxA/047mixTnCJus5+ZXcbSSuC4sKjL0tnqfbL3vWCF3zK6E3rDxRiZY0+hqbhRDH8CIA1Z/S2P8ET7lg6FqBK5cODH0Kd+e87a+VYLFfoi27KiRWSdmDUfwFYt9hPfnXpFQ1JexM1GUnfTQOjlAWeu+I/xtjXOnfh8ZyMaK7m/C08NL9u/kxlEn/NfxZuOUDHZtEByOsq8y+I7YpL9gFnZu3WSMwCyjwgTd841jw8i1d9xbHN8fTpYdWJiz7wbhA==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass (sender ip is\n 149.6.166.170) smtp.rcpttodomain=chromium.org smtp.mailfrom=softathome.com;\n dmarc=bestguesspass action=none header.from=softathome.com; dkim=none\n (message not signed); arc=none (0)","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=softathome1.onmicrosoft.com; s=selector1-softathome1-onmicrosoft-com;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=QjKHR9fWn8V8LabvbbqGetYQDv/vA3oaKK/vfkFQsEU=;\n b=nbaju0QdbJeyDHyaQ2BsJK4jEr67IbS8zgrjnTRl550thAdoZKbfo2wfV84XpleMwAuDMpd9MluqWRnHaxT+Qc+iChJuIOchjq4VXxs0vcWa8G7Fa0XH3CTv4CKQexy/GpjkyPXkmGjIisZHcnX75owETPeqMtVsXnXUTC2g66zyXua7FF8jBlEof67XAoPT+X1nBvihe1448dkzsqddodNvxkHkiAO6DKFGuW0ptyjEecBRXjUFuqspmXX0K4oZJAYfQ7NYDNb0x8+ek1nrOijoI3mWW/llomWdURRx6r6ac7UJQ/hYtaOVAW1w5XX8HkCy1Jwpi49hhw0+Q+MSiQ==","X-MS-Exchange-Authentication-Results":"spf=pass (sender IP is 149.6.166.170)\n smtp.mailfrom=softathome.com; dkim=none (message not signed)\n header.d=none;dmarc=bestguesspass action=none header.from=softathome.com;","Received-SPF":"Pass (protection.outlook.com: domain of softathome.com\n designates 149.6.166.170 as permitted sender)\n receiver=protection.outlook.com; client-ip=149.6.166.170;\n helo=proxy.softathome.com; pr=C","From":"Paul HENRYS <paul.henrys_ext@softathome.com>","To":"u-boot+nodisclaimer@lists.denx.de","Cc":"sjg+nodisclaimer@chromium.org, trini+nodisclaimer@konsulko.com,\n alpernebiyasak+nodisclaimer@gmail.com,\n philippe.reynes+nodisclaimer@softathome.com,\n Paul HENRYS <paul.henrys_ext@softathome.com>","Subject":"[PATCH v3 1/3] tools: binman: Test signing an encrypted FIT with a\n preload header","Date":"Fri,  3 Apr 2026 09:32:49 +0200","Message-ID":"<20260403073251.1051533-1-paul.henrys_ext@softathome.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260402192431.2421155-1-yan.wang@softathome.com>","References":"<20260402192431.2421155-1-yan.wang@softathome.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-EOPAttributedMessage":"0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"PA2PEPF00019232:EE_|PARP264MB4529:EE_","Content-Type":"text/plain","X-MS-Office365-Filtering-Correlation-Id":"c4d6a841-e8e9-443e-c12d-08de9153506c","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|82310400026|376014|36860700016|1800799024|17002099007|18002099003|56012099003|22082099003;","X-Microsoft-Antispam-Message-Info":"\n z46loZRJn1AjNkTuY3FyT2V3L5rqfQMtdP/b4Jogyv3FJZKVQhUqyTxqf/uYqXIhxiVQW3idOvOht2W6kSJXMRCu8cP4lC2+fj/I8nmjFnoxKw0a7FIgwl4v6NO/Z15gxuJ75dIjhtZUeJMyt3LLeuHiGQRPSLO8bmpmJoRclDC1D3gfAlhlzXJyQNRlduT0hItQonxrWrmQ7OGnPYTTEGq16OEE3PL6K/SRdFfVBJlNk1uhTz3RqwdY3bh2P6VivrGHKpHL4KuO90N0A5GejjvrrYjiLPf1cx/UoF9XbaXMB51kK+c+oVs+1tbTzeb2IGgyw4XvoLYoMqE3VFcUvVB3RDjY/EmmU9JGXb+S4Ugl9nvVfrmUKqASZ/Ogcw6Vr6JvucFFl3MPNeyrTT/k73zkMe3jwH8bnm61NQQkPUWnRbC18zg/gsSEZEx6LkTt9qIyZ3UpljV5+DbaRE9tuD8Ua7lbiff5hxtoffE/l45/rcACoayIvW3f+CuBVbiiQzm8iq4uobsIWyQxQ0Dv7KBgCswo+XFr5w7Z2evWY+5r/GWxSJgFmdBylQiwdGKmbz4WINl7TVWEyBmady13SUQhg8DWkG3R8o3bi8BTcujCqgcnMfQqV7qK0Y9a864qJvH/ezrYOnFyA6nwDt4QqH5K6r6xwwdv8fg10iVVkLTtCwF76b0DQdwGFAWuv2kAz/yO/qDAJ5tK3VmLagcXqjaDzCqFrXkn6mg+pxlzE7hi/lXgRoynyLMqe5XKcI1/zc41u/EBcEK6fbbrW/Ovbg==","X-Forefront-Antispam-Report":"CIP:149.6.166.170; CTRY:FR; LANG:en; SCL:1; SRV:;\n IPV:CAL; SFV:NSPM; H:proxy.softathome.com; PTR:InfoDomainNonexistent;\n CAT:NONE;\n SFS:(13230040)(82310400026)(376014)(36860700016)(1800799024)(17002099007)(18002099003)(56012099003)(22082099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n HOt1PVmIHWGW2ayD7nz78TbT65CCNhK8s1mvVqku79pMorWe8jxwf+4bPjYhPDyrOPUfcg8tqRdzKvIFxpE2AHIrEnJlt6ptYx9abWBhFMZlP5rz1Mu1yXIDiWNSAYjV4g3F7KKrFfsu7OAseySsD64ZZ8gmEU5lLRE7wpaIvE8X3m97FAXYuv3MrDQI1/2D7bu/lJvQB/opD0GhlWU5t/XyU3CXEOjoF0PcaNKiTWNsKolSAkphnhWdc9KwmmwM8HpYkvhci0nt7uNgKUlEfjv+Lv5mAxiLDhHJqIRLelprgx1Fhf3gl874p4TU2dbYdBuMbR+4tfL09FF6AjW/vJVEVZFkx8Wixz9ruMT7DnrqY+/VDAtyPyjJl8diGAoDT1oB2wQgB2lVBSiOQiGQiHk+D/zQvLvO+NPTO7aLMham5LEcPq87MqKWxJd8TRFU","X-OriginatorOrg":"softathome.com","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"03 Apr 2026 07:33:35.0332 (UTC)","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n c4d6a841-e8e9-443e-c12d-08de9153506c","X-MS-Exchange-CrossTenant-Id":"aa10e044-e405-4c10-8353-36b4d0cce511","X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp":"\n TenantId=aa10e044-e405-4c10-8353-36b4d0cce511; Ip=[149.6.166.170];\n Helo=[proxy.softathome.com]","X-MS-Exchange-CrossTenant-AuthSource":"PA2PEPF00019232.FRAP264.PROD.OUTLOOK.COM","X-MS-Exchange-CrossTenant-AuthAs":"Anonymous","X-MS-Exchange-CrossTenant-FromEntityHeader":"HybridOnPrem","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"PARP264MB4529","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Add a test to verify the preload header correctly signs an encrypted\nFIT. This test exercises the case where encryption uses random IVs that\nwould change between mkimage calls.\n\nSigned-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>\n---\nChanges for v3:\n- Rebase against 'next' branch\n- Move test in tools/binman/test/fit without a numeric prefix\n- Update encryption key path passed to _DoReadFileDtb()\n\n tools/binman/ftest.py                         | 21 +++++++\n .../test/fit/pre_load_fit_encrypted.dts       | 63 +++++++++++++++++++\n 2 files changed, 84 insertions(+)\n create mode 100644 tools/binman/test/fit/pre_load_fit_encrypted.dts","diff":"diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py\nindex ca5149ee654..301c7705837 100644\n--- a/tools/binman/ftest.py\n+++ b/tools/binman/ftest.py\n@@ -5895,6 +5895,27 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap\n             data = self._DoReadFileDtb('security/pre_load_invalid_key.dts',\n                                        entry_args=entry_args)\n \n+    def testPreLoadEncryptedFit(self):\n+        \"\"\"Test an encrypted FIT image with a pre-load header\"\"\"\n+        entry_args = {\n+            'pre-load-key-path': os.path.join(self._binman_dir, 'test'),\n+        }\n+        data = tools.read_file(self.TestFile(\"fit/aes256.bin\"))\n+        self._MakeInputFile(\"keys/aes256.bin\", data)\n+\n+        keys_subdir = os.path.join(self._indir, \"keys\")\n+        data = self._DoReadFileDtb(\n+            'fit/pre_load_fit_encrypted.dts', entry_args=entry_args,\n+            extra_indirs=[keys_subdir])[0]\n+\n+        image_fname = tools.get_output_filename('image.bin')\n+        is_signed = self._CheckPreload(image_fname, self.TestFile(\"dev.key\"))\n+\n+        self.assertEqual(PRE_LOAD_MAGIC, data[:len(PRE_LOAD_MAGIC)])\n+        self.assertEqual(PRE_LOAD_VERSION, data[4:4 + len(PRE_LOAD_VERSION)])\n+        self.assertEqual(PRE_LOAD_HDR_SIZE, data[8:8 + len(PRE_LOAD_HDR_SIZE)])\n+        self.assertEqual(is_signed, True)\n+\n     def _CheckSafeUniqueNames(self, *images):\n         \"\"\"Check all entries of given images for unsafe unique names\"\"\"\n         for image in images:\ndiff --git a/tools/binman/test/fit/pre_load_fit_encrypted.dts b/tools/binman/test/fit/pre_load_fit_encrypted.dts\nnew file mode 100644\nindex 00000000000..f5e9bf9426c\n--- /dev/null\n+++ b/tools/binman/test/fit/pre_load_fit_encrypted.dts\n@@ -0,0 +1,63 @@\n+// SPDX-License-Identifier: GPL-2.0+\n+\n+/dts-v1/;\n+\n+/ {\n+\t#address-cells = <1>;\n+\t#size-cells = <1>;\n+\n+\tbinman {\n+\t\tpre-load {\n+\t\t\tcontent = <&image>;\n+\t\t\talgo-name = \"sha256,rsa2048\";\n+\t\t\tkey-name = \"dev.key\";\n+\t\t\theader-size = <4096>;\n+\t\t\tversion = <0x11223344>;\n+\t\t};\n+\n+\t\timage: fit {\n+\t\t\tfit,encrypt;\n+\t\t\tdescription = \"Test a FIT with encrypted data and signed with a preload\";\n+\t\t\t#address-cells = <1>;\n+\n+\t\t\timages {\n+\t\t\t\tu-boot {\n+\t\t\t\t\tdescription = \"U-Boot\";\n+\t\t\t\t\ttype = \"firmware\";\n+\t\t\t\t\tarch = \"arm64\";\n+\t\t\t\t\tos = \"U-Boot\";\n+\t\t\t\t\tcompression = \"none\";\n+\t\t\t\t\tload = <00000000>;\n+\t\t\t\t\tentry = <00000000>;\n+\t\t\t\t\tcipher {\n+\t\t\t\t\t\talgo = \"aes256\";\n+\t\t\t\t\t\tkey-name-hint = \"aes256\";\n+\t\t\t\t\t};\n+\t\t\t\t\tu-boot-nodtb {\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t\tfdt-1 {\n+\t\t\t\t\tdescription = \"Flattened Device Tree blob\";\n+\t\t\t\t\ttype = \"flat_dt\";\n+\t\t\t\t\tarch = \"arm64\";\n+\t\t\t\t\tcompression = \"none\";\n+\t\t\t\t\tcipher {\n+\t\t\t\t\t\talgo = \"aes256\";\n+\t\t\t\t\t\tkey-name-hint = \"aes256\";\n+\t\t\t\t\t};\n+\t\t\t\t\tu-boot-dtb {\n+\t\t\t\t\t};\n+\t\t\t\t};\n+\t\t\t};\n+\n+\t\t\tconfigurations {\n+\t\t\t\tdefault = \"conf-1\";\n+\t\t\t\tconf-1 {\n+\t\t\t\t\tdescription = \"Boot U-Boot with FDT blob\";\n+\t\t\t\t\tfirmware = \"u-boot\";\n+\t\t\t\t\tfdt = \"fdt-1\";\n+\t\t\t\t};\n+\t\t\t};\n+\t\t};\n+\t};\n+};\n","prefixes":["v3","1/3"]}