From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH master] FIT: handle hashed-nodes property not being in hashed nodes order
Date: Mon, 16 Mar 2026 20:29:42 +0100 [thread overview]
Message-ID: <20260316194604.944486-1-a.fatoum@pengutronix.de> (raw)
Despite hashed-nodes no longer being used to determine which nodes to
hash, we still refer to it to improve the error message on hashed-nodes
mismatch.
mkimage(1) hashes properties in the order they appear in the node, which
is the order of the properties in the ITS device tree source.
Unfortunately, the order of entries in the hashed-nodes property is not
the same order that nodes are actually hashed in, but instead, the
ordering is controlled by the sign-images property, an unsorted list of
nodes to hash that's only interpreted by mkimage.
This breaks booting valid FITs that have sign-images in different order
than the properties like those generates by PTXdist's
scripts/lib/ptxd_make_fit_image.sh:
conf-${compatible} {
kernel = "kernel";
ramdisk = "initramfs";
fdt = "fdt-${compatible}";
signature-1 {
sign-images = "fdt", "kernel", "ramdisk";
};
};
Fix this by looking up strings in the device tree property value at any
location. Also, move this, so it's only done on error;
This saves time in the usual case, but more importantly
makes the code easier to reason about.
Example output (shortened)
barebox@board:/ bootm -v /mnt/tftp/fit
FIT: configuration 'conf-myboard': 0 Linux kernel, FDT blob, ramdisk
signature-1 {
hashed-nodes = /* ... */;
};
FIT: Key [...] (fit) -> signature BAD
ERROR: FIT: image signature BAD: verification failed
ERROR: FIT: /configurations/conf-myboard/signature-1/hashed-nodes: '/images/fdt-myboard' is missing
ERROR: FIT: /configurations/conf-myboard/signature-1/hashed-nodes: '/images/fdt-myboard/hash-1' is missing
ERROR: Cannot open FIT image configuration 'default'
ERROR: Loading FIT image failed with: error 74
handler failed with: error 74
Fixes: 55f25be5223b ("FIT: reconstruct hashed-nodes property during verification")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/image-fit.c | 59 +++++++++++++++++++---------------------------
1 file changed, 24 insertions(+), 35 deletions(-)
diff --git a/common/image-fit.c b/common/image-fit.c
index b78dee9e65a8..7bc4665fcdbc 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -357,45 +357,36 @@ static int fit_config_build_hash_nodes(struct fit_handle *handle,
return 0;
}
-static int fit_config_check_hash_nodes(struct device_node *sig_node,
- struct string_list *inc_nodes)
+/**
+ * fit_config_check_hash_nodes - Sanity check hashed-nodes
+ * @sig_node: Signature node of a FIT configuration
+ * @inc_nodes: String list of nodes included in the hash
+ *
+ * Check if the informational hashed-nodes property is cosistent with
+ * the list of nodes to hash that we calculated.
+ *
+ * We only do this if hash verification failed, so we can present a better
+ * error messages in some circumstances.
+ */
+static void fit_config_check_hash_nodes(struct device_node *sig_node,
+ struct string_list *inc_nodes)
{
struct string_list *entry;
- const char *node;
int ret, i = 0;
- /*
- * Check if the hashed-nodes property matches the list of nodes we calculated.
- * We don't use the hashed-nodes property finally, but let's check for consistency
- * to inform the user if something is wrong.
- */
-
string_list_for_each_entry(entry, inc_nodes) {
-
- ret = of_property_read_string_index(sig_node, "hashed-nodes", i, &node);
- if (ret) {
- pr_err("Cannot read hashed-node[%u]: %pe\n", i,
- ERR_PTR(ret));
- return ret;
- }
-
- if (strcmp(entry->str, node)) {
- pr_err("hashed-node[%u] doesn't match calculated node: %s != %s\n",
- i, entry->str, node);
- return -EINVAL;
- }
+ ret = of_property_match_string(sig_node, "hashed-nodes", entry->str);
+ if (ret < 0)
+ pr_err("%pOF/hashed-nodes: '%s' is missing\n", sig_node,
+ entry->str);
i++;
}
- ret = of_property_read_string_index(sig_node, "hashed-nodes", i,
- &node);
- if (!ret) {
- pr_err("hashed-nodes property has more entries than we calculated\n");
- return -EINVAL;
- }
-
- return 0;
+ ret = of_property_count_strings(sig_node, "hashed-nodes");
+ if (ret != i)
+ pr_err("hashed-nodes property has more entries than calculated: %d != %d\n",
+ ret, i);
}
/*
@@ -433,10 +424,6 @@ static int fit_verify_signature(struct fit_handle *handle,
goto out_sl;
}
- ret = fit_config_check_hash_nodes(sig_node, &inc_nodes);
- if (ret)
- goto out_sl;
-
string_list_add(&exc_props, "data");
digest = fit_alloc_digest(sig_node, &algo);
@@ -454,8 +441,10 @@ static int fit_verify_signature(struct fit_handle *handle,
digest_final(digest, hash);
ret = fit_check_signature(handle, sig_node, algo, hash);
- if (ret)
+ if (ret) {
+ fit_config_check_hash_nodes(sig_node, &inc_nodes);
goto out_free_hash;
+ }
ret = 0;
--
2.47.3
next reply other threads:[~2026-03-16 19:46 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 19:29 Ahmad Fatoum [this message]
2026-03-17 8:32 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260316194604.944486-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox