[PATCH master] FIT: handle hashed-nodes property not being in hashed nodes order

[PATCH master] FIT: handle hashed-nodes property not being in hashed nodes order

[Ahmad Fatoum]

Despite hashed-nodes no longer being used to determine which nodes to
hash, we still refer to it to improve the error message on hashed-nodes
mismatch.

mkimage(1) hashes properties in the order they appear in the node, which
is the order of the properties in the ITS device tree source.

Unfortunately, the order of entries in the hashed-nodes property is not
the same order that nodes are actually hashed in, but instead, the
ordering is controlled by the sign-images property, an unsorted list of
nodes to hash that's only interpreted by mkimage.

This breaks booting valid FITs that have sign-images in different order
than the properties like those generates by PTXdist's
scripts/lib/ptxd_make_fit_image.sh:

conf-${compatible} {
	kernel = "kernel";
	ramdisk = "initramfs";
	fdt = "fdt-${compatible}";

	signature-1 {
		sign-images = "fdt", "kernel", "ramdisk";
	};
};

Fix this by looking up strings in the device tree property value at any
location. Also, move this, so it's only done on error;
This saves time in the usual case, but more importantly
makes the code easier to reason about.

Example output (shortened)

  barebox@board:/ bootm -v /mnt/tftp/fit
  FIT: configuration 'conf-myboard': 0 Linux kernel, FDT blob, ramdisk
  signature-1 {
          hashed-nodes = /* ... */;
  };
  FIT: Key [...] (fit) -> signature BAD
  ERROR: FIT: image signature BAD: verification failed
  ERROR: FIT: /configurations/conf-myboard/signature-1/hashed-nodes: '/images/fdt-myboard' is missing
  ERROR: FIT: /configurations/conf-myboard/signature-1/hashed-nodes: '/images/fdt-myboard/hash-1' is missing
  ERROR: Cannot open FIT image configuration 'default'
  ERROR: Loading FIT image failed with: error 74
  handler failed with: error 74

Fixes: 55f25be5223b ("FIT: reconstruct hashed-nodes property during verification")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/image-fit.c | 59 +++++++++++++++++++---------------------------
 1 file changed, 24 insertions(+), 35 deletions(-)

diff --git a/common/image-fit.c b/common/image-fit.c
index b78dee9e65a8..7bc4665fcdbc 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -357,45 +357,36 @@ static int fit_config_build_hash_nodes(struct fit_handle *handle,
 	return 0;
 }
 
-static int fit_config_check_hash_nodes(struct device_node *sig_node,
-				       struct string_list *inc_nodes)
+/**
+ * fit_config_check_hash_nodes - Sanity check hashed-nodes
+ * @sig_node: Signature node of a FIT configuration
+ * @inc_nodes: String list of nodes included in the hash
+ *
+ * Check if the informational hashed-nodes property is cosistent with
+ * the list of nodes to hash that we calculated.
+ *
+ * We only do this if hash verification failed, so we can present a better
+ * error messages in some circumstances.
+ */
+static void fit_config_check_hash_nodes(struct device_node *sig_node,
+					struct string_list *inc_nodes)
 {
 	struct string_list *entry;
-	const char *node;
 	int ret, i = 0;
 
-	/*
-	 * Check if the hashed-nodes property matches the list of nodes we calculated.
-	 * We don't use the hashed-nodes property finally, but let's check for consistency
-	 * to inform the user if something is wrong.
-	 */
-
 	string_list_for_each_entry(entry, inc_nodes) {
-
-		ret = of_property_read_string_index(sig_node, "hashed-nodes", i, &node);
-		if (ret) {
-			pr_err("Cannot read hashed-node[%u]: %pe\n", i,
-			       ERR_PTR(ret));
-			return ret;
-		}
-
-		if (strcmp(entry->str, node)) {
-			pr_err("hashed-node[%u] doesn't match calculated node: %s != %s\n",
-			       i, entry->str, node);
-			return -EINVAL;
-		}
+		ret = of_property_match_string(sig_node, "hashed-nodes", entry->str);
+		if (ret < 0)
+			pr_err("%pOF/hashed-nodes: '%s' is missing\n", sig_node,
+			       entry->str);
 
 		i++;
 	}
 
-	ret = of_property_read_string_index(sig_node, "hashed-nodes", i,
-					    &node);
-	if (!ret) {
-		pr_err("hashed-nodes property has more entries than we calculated\n");
-		return -EINVAL;
-	}
-
-	return 0;
+	ret = of_property_count_strings(sig_node, "hashed-nodes");
+	if (ret != i)
+		pr_err("hashed-nodes property has more entries than calculated: %d != %d\n",
+		       ret, i);
 }
 
 /*
@@ -433,10 +424,6 @@ static int fit_verify_signature(struct fit_handle *handle,
 		goto out_sl;
 	}
 
-	ret = fit_config_check_hash_nodes(sig_node, &inc_nodes);
-	if (ret)
-		goto out_sl;
-
 	string_list_add(&exc_props, "data");
 
 	digest = fit_alloc_digest(sig_node, &algo);
@@ -454,8 +441,10 @@ static int fit_verify_signature(struct fit_handle *handle,
 	digest_final(digest, hash);
 
 	ret = fit_check_signature(handle, sig_node, algo, hash);
-	if (ret)
+	if (ret) {
+		fit_config_check_hash_nodes(sig_node, &inc_nodes);
 		goto out_free_hash;
+	}
 
 	ret = 0;
 
-- 
2.47.3

Re: [PATCH master] FIT: handle hashed-nodes property not being in hashed nodes order

[Sascha Hauer]

On Mon, 16 Mar 2026 20:29:42 +0100, Ahmad Fatoum wrote:
> Despite hashed-nodes no longer being used to determine which nodes to
> hash, we still refer to it to improve the error message on hashed-nodes
> mismatch.
> 
> mkimage(1) hashes properties in the order they appear in the node, which
> is the order of the properties in the ITS device tree source.
> 
> [...]

Applied, thanks!

[1/1] FIT: handle hashed-nodes property not being in hashed nodes order
      https://git.pengutronix.de/cgit/barebox/commit/?id=2370a81beaf1 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>