Injecting public keys into FTDs for FIT verification

Jan Kiszka jan.kiszka at
Fri Nov 5 11:16:16 CET 2021

Hi all,

in order to use CONFIG_FIT_SIGNATURE and also
CONFIG_SPL_FIT_SIGNATURE, a public key needs to be placed into the
control FDT. So far, I only found mkimage being able to do that during
FIT image signing. That is fairly unhandy and often incompatible with
how firmware is built & signed vs. how the lifecycle of the artifacts to
be loaded and verified look like. Is there really no other way than
mkimage -K?

I'm currently considering to derive a tool that, given a public key
(which is easy to hand around, compared to the private key needed for
signing), injects them into a FDT. Then I would hook that up as generic
feature for U-Boot builds, enriching all control FTDs already during the
first build with this when requested.

Am I missing an even simpler approach?


Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

More information about the U-Boot mailing list