[U-Boot] Verified boot of images without signatures

Simon Glass sjg at chromium.org
Tue Aug 13 09:35:18 UTC 2019

Hi Patrick,

On Wed, 12 Jun 2019 at 14:28, Patrick Doyle <wpdster at gmail.com> wrote:
> On Wed, Jun 12, 2019 at 2:10 PM Alex Kiernan <alex.kiernan at gmail.com> wrote:
> > On Wed, Jun 12, 2019 at 7:00 PM Patrick Doyle <wpdster at gmail.com> wrote:
> > > Am I missing something here?
> > >
> >
> > Probably... I went round a very similar loop too. You need the
> > required property in the U-Boot DTB, not in the image you're booting.
> > And if you're trying to do this for SPL loading U-Boot you need
> > CONFIG_SPL_LOAD_FIT_FULL. Oh and make sure you've disabled legacy
> > image support.
> Hi Alex,
> You nailed it.  I didn't understand that the "required" property
> belonged to the u-boot dtb, not the fitImage.  Now that I understand
> that, I see where that is described in signature.txt.  I'm great at
> understanding documentation once I know what the documentation says

A doc patch is welcome.

The 'required' property is in the 'trusted' DT since otherwise an
image could just omit it.


More information about the U-Boot mailing list