[PATCH v1 1/2] rsa: allow operation without SPL_DM by falling back to software

Lukas Schmid lukas.schmid at netcube.li
Mon Aug 11 18:10:33 CEST 2025 

Boards using secure boot but lacking SPL_DM support currently cannot
use FIT signature verification in SPL, as SPL_FIT_SIGNATURE depends
on SPL_DM.  This dependency is only needed for hardware RSA modular
exponentiation drivers; software RSA verification works without DM.

Remove the SPL_DM dependency in Kconfig and guard the hardware RSA
path in rsa-verify.c with CONFIG_IS_ENABLED(DM).  This allows SPL to
verify signed FIT images using the software RSA implementation on
non-DM systems.

Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
---
 boot/Kconfig         |  2 +-
 lib/rsa/rsa-verify.c | 27 ++++++++++++++++-----------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index a671d78e..6c0e2a49 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -203,7 +203,7 @@ config SPL_FIT_FULL_CHECK
 
 config SPL_FIT_SIGNATURE
 	bool "Enable signature verification of FIT firmware within SPL"
-	depends on SPL_DM
+#	depends on SPL_DM
 	depends on SPL_LOAD_FIT || SPL_LOAD_FIT_FULL
 	select FIT_SIGNATURE
 	select SPL_FIT
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index b65fbe44..314f75a2 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -327,8 +327,9 @@ static int rsa_verify_key(struct image_sign_info *info,
 			  const uint32_t key_len)
 {
 	int ret;
-#if !defined(USE_HOSTCC)
-	struct udevice *mod_exp_dev;
+#ifndef USE_HOSTCC
+	if (IS_ENABLED(CONFIG_DM))
+		struct udevice *mod_exp_dev;
 #endif
 	struct checksum_algo *checksum = info->checksum;
 	struct padding_algo *padding = info->padding;
@@ -354,17 +355,21 @@ static int rsa_verify_key(struct image_sign_info *info,
 	uint8_t buf[sig_len];
 	hash_len = checksum->checksum_len;
 
-#if !defined(USE_HOSTCC)
-	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
-	if (ret) {
-		printf("RSA: Can't find Modular Exp implementation\n");
-		return -EINVAL;
-	}
+#ifndef USE_HOSTCC
+	if (IS_ENABLED(CONFIG_DM)) {
+		ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
+		if (ret) {
+			printf("RSA: Can't find Modular Exp implementation\n");
+			return -EINVAL;
+		}
 
-	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
-#else
-	ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
+		ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
+	} else
 #endif
+	{
+		ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
+	}
+
 	if (ret) {
 		debug("Error in Modular exponentation\n");
 		return ret;
-- 
2.39.5

More information about the U-Boot mailing list