SPL FIT configuration signature verification

Reuben Dowle reuben.dowle at 4rf.com
Mon Sep 14 00:01:46 CEST 2020


Yes, it is possible to do this. The SPL will check its own DTB to check which signatures are required.

When the FIT that the SPL will load is created with mkimage, you also pass the SPL's dtb file, which will be patched to include the required signatures.

I am not sure if the config system has ability to specify this. My build process separates the signing from the normal uboot build (so that I can keep the private keys more secure), so I am manually calling mkimage. The command I am using to generate my second stage signed u-boot FIT file which is loaded by SPL:

mkimage -f uboot.its -K u-boot-spl.dtb -k keys -r u-boot.fit

The updated u-boot-spl.dtb needs to be available for the SPL to load at startup - often by appending this dtb to the end of the SPL binary. In my case I do this:
cat u-boot-spl-nodtb.bin u-boot-spl-pad.bin u-boot-spl.dtb > u-boot-spl.bin

-----Original Message-----
From: U-Boot <u-boot-bounces at lists.denx.de> On Behalf Of Andrii Voloshyn
Sent: Saturday, 12 September 2020 12:18 am
To: u-boot <u-boot at lists.denx.de>
Subject: SPL FIT configuration signature verification

Hi there,

       Is it possible to make SPL U-Boot to verify signature located in configuration section of FIT image, and do not continue in case the signature is missing or doesn't match?
Asking because I couldn't find any configuration option for that, and I have FIT image with signature but SPL U-boot doesn't check it at all, it only checks signatures for images if present.

Thanks

Cheers,
Andy



More information about the U-Boot mailing list