Hi Martin, On Fri, 8 Jul 2022 at 01:11, Martin Bonner <martingreybe...@gmail.com> wrote: > > On Thu, 7 Jul 2022 at 17:29, Martin Bonner <martingreybe...@gmail.com> > wrote: > > > I have a 30MB FIT image as input, and I have added some debug to > > hash_calculate in rsa-checksum.c to print the amount of data being hashed. > > The answer is a rather scary "1106 bytes"! ... > > > > Can anyone clarify what is happening? > > > > Never mind. I have found fit_image_check_hash in image-fit.c (yay for gdb > read watchpoints!) So the algorithm is basically "verify that the hashes > of each image is correct", then calculate a hash which includes the hashes > of the images (but not their data), and sign that. (I think it's > overcomplicated, and complexity is the enemy of security - but it's much > too late to change that.)
Some reasons: - it is faster to hash things only once (i.e. use the image hash we already have) - It is faster to hash smaller things (i.e. the meta data) This of this as a tree of hashes... Regards, Simon