FIT Verification

Tom Rini trini at konsulko.com
Mon Mar 2 23:18:26 CET 2026 

On Fri, Feb 27, 2026 at 04:24:37PM +0530, Chawdhry, Manorit wrote:
> Hi Neha, Nagabhushan,
> 
> On 2/27/2026 4:00 PM, Francis, Neha wrote:
> > Hi Nagabhushan
> > 
> > + Manorit do correct me if I'm wrong
> > 
> > On 2/27/2026 5:14 AM, Simon Glass wrote:
> > > +Neha Malcom Francis
> > > 
> > > Hi,
> > > 
> > > On Wed, 25 Feb 2026 at 01:54, Nagabhushan D <nagabhushand34 at gmail.com> wrote:
> > > > 
> > > > Hi Team,
> > > > I am a recent graduate working in Embedded stream. Currently exploring secure booting on TI boards. I went through some of the writings on github - https://github.com/ARM-software/u-boot/blob/master/doc/uImage.FIT/signature.txt and other sources by TI. I would like to get few confusions cleared by this mail and thanks for take some time for this.
> > 
> > I'm linking a couple of links [0] and [1] that should clear up everything if you
> > haven't stumbled upon them already.
> > 
> > > > 
> > > > 1. Can I try out only fitImage verification with hs fs boards only?
> > > 
> > > Neha may know about that one.
> > 
> > No, both GP/HS can enforce fitImage auth (check FIT_SIGNATURE_ENFORCE)
> > 
> 
> FIT_SIGNATURE_ENFORCE is something that wasn't upstreamed.. it's something
> internally that we had tried to flow flush it and just left it at an RFC
> stage [2]
> 
> But to answer yes, all the keys and everything is contains within U-boot so
> regardless of HS/GP or whatever device, it should work fine if you follow
> the guide.
> 
> > > 
> > > > 2. Can I try it with ti dummy keys or any other way to know if the flow/fit signing is correct?
> > > 
> > > There are tests which check signature verification using sandbox,
> > > which might be the easiest way to try it out. See test_fit.py
> > 
> > Yes sandbox testing would work, as well as building with the TI dummy key.
> > 
> > > 
> > > Regards,
> > > Simon
> > 
> > [0]
> > https://software-dl.ti.com/processor-sdk-linux/esd/AM62AX/latest/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
> > (this is our SDK doc, just in case you need more help to follow along, more or
> > less the same as what the upstream docs talk about)
> > 
> > [1] https://docs.u-boot.org/en/latest/board/ti/k3.html#fit-signature-signing
> > 
> 
> [2]: https://lore.kernel.org/u-boot/20240111-b4-upstream-fit-signature-enforce-v1-1-2b91be31866e@ti.com/

And someone picking this up again would be appreciated.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260302/3a5528c8/attachment.sig>

More information about the U-Boot mailing list