FIT Verification
Chawdhry, Manorit
m-chawdhry at ti.com
Fri Feb 27 11:54:37 CET 2026
Hi Neha, Nagabhushan,
On 2/27/2026 4:00 PM, Francis, Neha wrote:
> Hi Nagabhushan
>
> + Manorit do correct me if I'm wrong
>
> On 2/27/2026 5:14 AM, Simon Glass wrote:
>> +Neha Malcom Francis
>>
>> Hi,
>>
>> On Wed, 25 Feb 2026 at 01:54, Nagabhushan D <nagabhushand34 at gmail.com> wrote:
>>>
>>> Hi Team,
>>> I am a recent graduate working in Embedded stream. Currently exploring secure booting on TI boards. I went through some of the writings on github - https://github.com/ARM-software/u-boot/blob/master/doc/uImage.FIT/signature.txt and other sources by TI. I would like to get few confusions cleared by this mail and thanks for take some time for this.
>
> I'm linking a couple of links [0] and [1] that should clear up everything if you
> haven't stumbled upon them already.
>
>>>
>>> 1. Can I try out only fitImage verification with hs fs boards only?
>>
>> Neha may know about that one.
>
> No, both GP/HS can enforce fitImage auth (check FIT_SIGNATURE_ENFORCE)
>
FIT_SIGNATURE_ENFORCE is something that wasn't upstreamed.. it's
something internally that we had tried to flow flush it and just left it
at an RFC stage [2]
But to answer yes, all the keys and everything is contains within U-boot
so regardless of HS/GP or whatever device, it should work fine if you
follow the guide.
>>
>>> 2. Can I try it with ti dummy keys or any other way to know if the flow/fit signing is correct?
>>
>> There are tests which check signature verification using sandbox,
>> which might be the easiest way to try it out. See test_fit.py
>
> Yes sandbox testing would work, as well as building with the TI dummy key.
>
>>
>> Regards,
>> Simon
>
> [0]
> https://software-dl.ti.com/processor-sdk-linux/esd/AM62AX/latest/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
> (this is our SDK doc, just in case you need more help to follow along, more or
> less the same as what the upstream docs talk about)
>
> [1] https://docs.u-boot.org/en/latest/board/ti/k3.html#fit-signature-signing
>
[2]:
https://lore.kernel.org/u-boot/20240111-b4-upstream-fit-signature-enforce-v1-1-2b91be31866e@ti.com/
Regards,
Manorit
More information about the U-Boot
mailing list