[PATCH v2 3/4] image-fit-sig: Optionally require signatures

Ludwig Nussel ludwig.nussel at siemens.com
Thu Apr 30 14:26:02 CEST 2026 

If U-Boot is built with signature verification but no keys are
included in the device tree, the boot would still continue.
Introduce FIT_SIGNATURE_REQUIRED to avoid a fail-open setup. The
default is enabled which may break existing setups that rely on the
insecure behavior.

Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>

---

Changes in v2:
  - introduce FIT_SIGNATURE_REQUIRED

 boot/Kconfig         | 10 ++++++++++
 boot/image-fit-sig.c | 12 +++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index ae6f09a6ede..c90eae55a60 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -124,6 +124,16 @@ config FIT_SIGNATURE
 	  format support in this case, enable it using
 	  CONFIG_LEGACY_IMAGE_FORMAT.
 
+config FIT_SIGNATURE_REQUIRED
+	bool "Require signature verification of FIT uImages"
+	depends on FIT_SIGNATURE
+	default y
+	help
+	  This option requires that FIT uImages are signed. That
+	  means the U-Boot device tree must contain public keys for
+	  verification and all configuration sections must be signed
+	  using those keys.
+
 config FIT_SIGNATURE_MAX_SIZE
 	hex "Max size of signed FIT structures"
 	depends on FIT_SIGNATURE
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 433df20281f..9eabf33079b 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -639,9 +639,11 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
 	/* Work out what we need to verify */
 	key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME);
 	if (key_node < 0) {
-		debug("%s: No signature node found: %s\n", __func__,
-		      fdt_strerror(key_node));
-		return 0;
+		log_err("No signature node found: %s\n", fdt_strerror(key_node));
+		if (IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED))
+			return -EPERM;
+		else
+			return 0;
 	}
 
 	/* Get required-mode policy property from DTB */
@@ -685,8 +687,8 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
 		}
 	}
 
-	if (reqd_sigs && !verified) {
-		printf("Failed to verify 'any' of the required signature(s)\n");
+	if ((reqd_sigs || IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED)) && !verified) {
+		log_err("Failed to verify 'any' of the required signature(s)\n");
 		return -EPERM;
 	}
 
-- 
2.43.0

More information about the U-Boot mailing list