Injecting public keys into FTDs for FIT verification

Rasmus Villemoes rasmus.villemoes at
Fri Nov 5 11:28:01 CET 2021

On 05/11/2021 11.16, Jan Kiszka wrote:
> Hi all,
> in order to use CONFIG_FIT_SIGNATURE and also
> CONFIG_SPL_FIT_SIGNATURE, a public key needs to be placed into the
> control FDT. So far, I only found mkimage being able to do that during
> FIT image signing. That is fairly unhandy and often incompatible with
> how firmware is built & signed vs. how the lifecycle of the artifacts to
> be loaded and verified look like. Is there really no other way than
> mkimage -K?
> I'm currently considering to derive a tool that, given a public key
> (which is easy to hand around, compared to the private key needed for
> signing), injects them into a FDT. Then I would hook that up as generic
> feature for U-Boot builds, enriching all control FTDs already during the
> first build with this when requested.
> Am I missing an even simpler approach?

You're not missing an existing upstream simpler approach, but it's
certainly an itch that others have had [1] [2]. My latest attempt

does now have an R-b by Simon, so now I'm just waiting for that to
actually make it into master. I have the script(s) that will convert a
public key to a .dtsi fragment, and I'm happy to share that.



More information about the U-Boot mailing list