[PATCH 4/4] image-fit-sig: require signatures
Quentin Schulz
quentin.schulz at cherry.de
Mon Apr 27 18:02:58 CEST 2026
Hi Ludwig,
On 4/27/26 5:03 PM, Ludwig Nussel wrote:
> Signature nodes in the device tree are mandatory if u-boot is compiled
> with signature verification. Allowing signature verification to pass
First, it's not enforced at build time and cannot, as it depends on the
binman FDT node to be properly configured. But we cannot do that,
because we don't know the user setup.
You can (mis)configure U-Boot to do signature verification but forget to
add the signature to the SPL/proper DTB. Then it'll do nothing of
course. To be fair, I got bit by that very mistake recently so maybe
there's something to improve there indeed.
> if those nodes are missing would leave the system fail open.
>
Yeah but why would they be missing in the first place? It's not like
this is something you can modify if part of a secure boot. The DTB of
stage 1 is used to verify FIT from stage 2. You need to trust DTB of
stage 1 (by verifying it with stage 0, etc.) otherwise I can also simply
just change the public key in there.
Also, this isn't actually handling fit image signature, only conf. Yes,
image signature is mostly security theater but at least we would have
consistent behavior here.
We very much need additional tests as well.
Cheers,
Quentin
More information about the U-Boot
mailing list