[PATCH 4/6] boot: allow SPL FIT signature verification without DM

[Lukas Schmid]

SPL FIT verification was effectively tied to Driver Model. The RSA
verifier assumed a DM-backed modexp device, and SPL_FIT_SIGNATURE
depended on SPL_DM. This prevents non-DM SPL platforms from using
FIT signature verification even though the software modular exponent
fallback is already available.

Drop the hard SPL_DM dependency and only look up the modexp device
when DM is enabled. Non-DM SPL builds then fall back to the software
implementation and can enable signed FIT verification.

Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
---
 boot/Kconfig         |  1 -
 lib/rsa/rsa-verify.c | 16 ++++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index 4e9bc9491a0..6ccb7d44a5e 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -202,7 +202,6 @@ config SPL_FIT_FULL_CHECK
 
 config SPL_FIT_SIGNATURE
 	bool "Enable signature verification of FIT firmware within SPL"
-	depends on SPL_DM
 	depends on SPL_LOAD_FIT
 	select FIT_SIGNATURE
 	select SPL_FIT
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 3169c3a6dd1..24b23ab565a 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -355,13 +355,17 @@ static int rsa_verify_key(struct image_sign_info *info,
 	hash_len = checksum->checksum_len;
 
 #if !defined(USE_HOSTCC)
-	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
-	if (ret) {
-		printf("RSA: Can't find Modular Exp implementation\n");
-		return -EINVAL;
-	}
+	if (CONFIG_IS_ENABLED(DM)) {
+		ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
+		if (ret) {
+			printf("RSA: Can't find Modular Exp implementation\n");
+			return -EINVAL;
+		}
 
-	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
+		ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
+	} else {
+		ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
+	}
 #else
 	ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
 #endif
-- 
2.47.3