Injecting public keys into FTDs for FIT verification

Jan Kiszka jan.kiszka at
Fri Nov 5 14:03:58 CET 2021

On 05.11.21 13:42, Jan Kiszka wrote:
> On 05.11.21 11:28, Rasmus Villemoes wrote:
>> On 05/11/2021 11.16, Jan Kiszka wrote:
>>> Hi all,
>>> in order to use CONFIG_FIT_SIGNATURE and also
>>> CONFIG_SPL_FIT_SIGNATURE, a public key needs to be placed into the
>>> control FDT. So far, I only found mkimage being able to do that during
>>> FIT image signing. That is fairly unhandy and often incompatible with
>>> how firmware is built & signed vs. how the lifecycle of the artifacts to
>>> be loaded and verified look like. Is there really no other way than
>>> mkimage -K?
>>> I'm currently considering to derive a tool that, given a public key
>>> (which is easy to hand around, compared to the private key needed for
>>> signing), injects them into a FDT. Then I would hook that up as generic
>>> feature for U-Boot builds, enriching all control FTDs already during the
>>> first build with this when requested.
>>> Am I missing an even simpler approach?
>> You're not missing an existing upstream simpler approach, but it's
>> certainly an itch that others have had [1] [2]. My latest attempt

Looking at this path: I would also need it for SPL, so that SPL can
validate the container for the main U-Boot. Seems that is missing here,
isn't it?


>> does now have an R-b by Simon, so now I'm just waiting for that to
>> actually make it into master. I have the script(s) that will convert a
>> public key to a .dtsi fragment, and I'm happy to share that.
> Cool, that would be very welcome!
> Jan
>> Rasmus
>> [1]
>> [2]

Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

More information about the U-Boot mailing list