{"id":2231245,"url":"http://patchwork.ozlabs.org/api/patches/2231245/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260430142602.v2.4.eb9898db9115ab0e26701a962ff8b41b199e78b2@changeid/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430142602.v2.4.eb9898db9115ab0e26701a962ff8b41b199e78b2@changeid>","list_archive_url":null,"date":"2026-04-30T12:26:03","name":"[v2,4/4] iminfo: also verify signatures","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"6a03951be743fc0f88a014e8b53678e01efb2546","submitter":{"id":90265,"url":"http://patchwork.ozlabs.org/api/people/90265/?format=json","name":"Ludwig Nussel","email":"ludwig.nussel@siemens.com"},"delegate":{"id":3651,"url":"http://patchwork.ozlabs.org/api/users/3651/?format=json","username":"trini","first_name":"Tom","last_name":"Rini","email":"trini@ti.com"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260430142602.v2.4.eb9898db9115ab0e26701a962ff8b41b199e78b2@changeid/mbox/","series":[{"id":502295,"url":"http://patchwork.ozlabs.org/api/series/502295/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=502295","date":"2026-04-30T12:25:59","name":"Improve FIT signature handling","version":2,"mbox":"http://patchwork.ozlabs.org/series/502295/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231245/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231245/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.a=rsa-sha256 header.s=fm2 header.b=GkPs6i/B;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.b=\"GkPs6i/B\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=ludwig.nussel@siemens.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5tj80DCvz1yJr\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 22:27:21 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 7914C8460E;\n\tThu, 30 Apr 2026 14:26:53 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 0B22284653; Thu, 30 Apr 2026 14:26:50 +0200 (CEST)","from mta-64-227.siemens.flowmailer.net\n (mta-64-227.siemens.flowmailer.net [185.136.64.227])\n (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id A5DF783693\n for <u-boot@lists.denx.de>; Thu, 30 Apr 2026 14:26:47 +0200 (CEST)","by mta-64-227.siemens.flowmailer.net with ESMTPSA id\n 2026043012264752a21e7b4a00020789 for <u-boot@lists.denx.de>;\n Thu, 30 Apr 2026 14:26:47 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,\n SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;\n d=siemens.com; i=ludwig.nussel@siemens.com;\n h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;\n bh=qzf1LNidFw4Q35yDKgoc3THmHjKIUCQIN3Q3YW5s+Tg=;\n b=GkPs6i/BoBsKTIGOfaxtVJ8bNNpRXVX9W93bMrqKXlcYAYgKGk4fYndzh9Ht+N7S8lsCMr\n 6S7qUjrp22yP7IewbdMbeXHWpmttU4GyP0DJO9O4t0BETBHPWxzQ0yQV+jGe5C/4M9wXPBKV\n 0fJ9nBFusOmRUVyNX3B2FprlkbqaB0XW9DW5FGjvyFm+FFJNZsXxRtL4ALIftmLHIJnTCkQE\n ukQYr6yPq+S9+AdFdge7tTDtOvKlIa7BLcvdyGr5uDWEUwnuFntdwD3w9YdaaWwnLR+Gu/zH\n gh82rEuEoqu/7JdCockoZ1OEJZwdVH9/3aIPpFUBluFDT/TmIMnfqkjw==;","From":"Ludwig Nussel <ludwig.nussel@siemens.com>","To":"u-boot@lists.denx.de","Cc":"Ludwig Nussel <ludwig.nussel@siemens.com>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>,\n James Hilliard <james.hilliard1@gmail.com>,\n Jonas Karlman <jonas@kwiboo.se>,\n Kunihiko Hayashi <hayashi.kunihiko@socionext.com>,\n Marek Vasut <marek.vasut+renesas@mailbox.org>,\n Mayuresh Chitale <mchitale@ventanamicro.com>,\n Neil Armstrong <neil.armstrong@linaro.org>,\n Osama Abdelkader <osama.abdelkader@gmail.com>,\n Patrice Chotard <patrice.chotard@foss.st.com>, Peng Fan <peng.fan@nxp.com>,\n Quentin Schulz <quentin.schulz@cherry.de>,\n Shiji Yang <yangshiji66@outlook.com>, Tom Rini <trini@konsulko.com>,\n Wolfgang Wallner <wolfgang.wallner@at.abb.com>, Yao Zi <me@ziyao.cc>","Subject":"[PATCH v2 4/4] iminfo: also verify signatures","Date":"Thu, 30 Apr 2026 14:26:03 +0200","Message-ID":"\n <20260430142602.v2.4.eb9898db9115ab0e26701a962ff8b41b199e78b2@changeid>","In-Reply-To":"<20260430122629.606153-1-ludwig.nussel@siemens.com>","References":"<20260430122629.606153-1-ludwig.nussel@siemens.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Flowmailer-Platform":"Siemens","Feedback-ID":"519:519-1328817:519-21489:flowmailer","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"The iminfo command already verifies hashes of images. This change also\nverifies signatures of configurations if enabled.\n\nSigned-off-by: Ludwig Nussel <ludwig.nussel@siemens.com>\n\n---\n\nChanges in v2:\n  - document fit_all_configurations_verify()\n\n boot/image-fit.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++\n cmd/bootm.c      |  7 +++++++\n include/image.h  |  1 +\n 3 files changed, 56 insertions(+)","diff":"diff --git a/boot/image-fit.c b/boot/image-fit.c\nindex 2d2709aa5b1..69a121a0ad6 100644\n--- a/boot/image-fit.c\n+++ b/boot/image-fit.c\n@@ -1512,6 +1512,54 @@ int fit_all_image_verify(const void *fit)\n \treturn 1;\n }\n \n+/**\n+ * fit_all_configurations_verify - verify signatures of all configurations\n+ * @fit: pointer to the FIT format image header\n+ *\n+ * fit_all_configurations_verify() iterates over all configurations\n+ * in the FIT and checks the signatures. Returns success if all\n+ * configurations have valid signatures. See documentation at\n+ * fit_config_verify_required_keys() resp fit_config_verify_key().\n+ *\n+ * returns:\n+ *     0, success\n+ *     <0, error\n+ */\n+int fit_all_configurations_verify(const void *fit)\n+{\n+\tint confs_noffset;\n+\tint noffset;\n+\tint r = -ENOENT;\n+\n+\t/* Find images parent node offset */\n+\tconfs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH);\n+\tif (confs_noffset < 0) {\n+\t\tprintf(\"Can't find configurations parent node '%s' (%s)\\n\",\n+\t\t       FIT_IMAGES_PATH, fdt_strerror(confs_noffset));\n+\t\treturn confs_noffset;\n+\t}\n+\n+\t/* Process all config subnodes, check hashes for each */\n+\tprintf(\"## Checking configuration signatures ...\\n\");\n+\n+\tfdt_for_each_subnode(noffset, fit, confs_noffset) {\n+\t\tint ret;\n+\n+\t\tprintf(\"   %s ... \", fit_get_name(fit, noffset, NULL));\n+\t\tret = fit_config_verify(fit, noffset);\n+\t\tif (ret) {\n+\t\t\tr = ret;\n+\t\t\tcontinue;\n+\t\t}\n+\t\t/* valid config found */\n+\t\tif (r == -ENOENT)\n+\t\t\tr = 0;\n+\t\tputs(\"OK\\n\");\n+\t}\n+\n+\treturn r;\n+}\n+\n static int fit_image_uncipher(const void *fit, int image_noffset,\n \t\t\t      void **data, size_t *size)\n {\ndiff --git a/cmd/bootm.c b/cmd/bootm.c\nindex ca7cec91fad..1ea46788a18 100644\n--- a/cmd/bootm.c\n+++ b/cmd/bootm.c\n@@ -335,6 +335,13 @@ static int image_info(ulong addr)\n \t\t\treturn 1;\n \t\t}\n \n+\t\tif (CONFIG_IS_ENABLED(FIT_SIGNATURE_REQUIRED) &&\n+\t\t    fit_all_configurations_verify(hdr) != 0) {\n+\t\t\tputs(\"Signature verification failed!\\n\");\n+\t\t\tunmap_sysmem(hdr);\n+\t\t\treturn 1;\n+\t\t}\n+\n \t\tunmap_sysmem(hdr);\n \t\treturn 0;\n #endif\ndiff --git a/include/image.h b/include/image.h\nindex 34efac6056d..7948090f6e0 100644\n--- a/include/image.h\n+++ b/include/image.h\n@@ -1355,6 +1355,7 @@ static inline int fit_config_verify(const void *fit, int conf_noffset)\n }\n #endif\n int fit_all_image_verify(const void *fit);\n+int fit_all_configurations_verify(const void *fit);\n int fit_config_decrypt(const void *fit, int conf_noffset);\n int fit_image_check_os(const void *fit, int noffset, uint8_t os);\n int fit_image_check_arch(const void *fit, int noffset, uint8_t arch);\n","prefixes":["v2","4/4"]}