[PATCH v2 4/6] boot: allow SPL FIT signature verification without DM

Thu May 7 13:17:01 CEST 2026

Hi Lukas,

On 5/1/26 12:33 AM, Lukas Schmid wrote:
> SPL FIT verification was effectively tied to Driver Model. The RSA
> verifier assumed a DM-backed modexp device, and SPL_FIT_SIGNATURE
> depended on SPL_DM. This prevents non-DM SPL platforms from using
> FIT signature verification even though the software modular exponent
> fallback is already available.
> 
> Drop the hard SPL_DM dependency and only look up the modexp device
> when DM is enabled. Non-DM SPL builds then fall back to the software
> implementation and can enable signed FIT verification.
> 
> Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
> ---
>   boot/Kconfig         |  1 -
>   lib/rsa/rsa-verify.c | 16 ++++++++++------
>   2 files changed, 10 insertions(+), 7 deletions(-)
> 
> diff --git a/boot/Kconfig b/boot/Kconfig
> index 4e9bc9491a0..6ccb7d44a5e 100644
> --- a/boot/Kconfig
> +++ b/boot/Kconfig
> @@ -202,7 +202,6 @@ config SPL_FIT_FULL_CHECK
>   
>   config SPL_FIT_SIGNATURE
>   	bool "Enable signature verification of FIT firmware within SPL"
> -	depends on SPL_DM
>   	depends on SPL_LOAD_FIT
>   	select FIT_SIGNATURE
>   	select SPL_FIT
> diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
> index 3169c3a6dd1..24b23ab565a 100644
> --- a/lib/rsa/rsa-verify.c
> +++ b/lib/rsa/rsa-verify.c
> @@ -355,13 +355,17 @@ static int rsa_verify_key(struct image_sign_info *info,
>   	hash_len = checksum->checksum_len;
>   
>   #if !defined(USE_HOSTCC)
> -	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
> -	if (ret) {
> -		printf("RSA: Can't find Modular Exp implementation\n");
> -		return -EINVAL;
> -	}
> +	if (CONFIG_IS_ENABLED(DM)) {
> +		ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
> +		if (ret) {
> +			printf("RSA: Can't find Modular Exp implementation\n");
> +			return -EINVAL;
> +		}
>   
> -	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
> +		ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
> +	} else {
> +		ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
> +	}

Mmmmm I'm wondering if in the event we build with DM support but cannot 
find a modexp implem we shouldn't default to the software implem if 
available? Security-wise I'm not sure we're losing here, it's just that 
I'm assuming SW-based RSA verification is slower than HW-based no?

Also, this function is only defined when CONFIG_RSA_SOFTWARE_EXP is 
enabled (and we don't have a toggle for xPL phases (should we?)), so we 
need to handle this here to avoid breaking builds.

Finally, I still see RSA_SOFTWARE_EXP depends on DM at the Kconfig 
level. So bringing this in SPL seems wrong, as we would depend on U-Boot 
proper having DM enabled for it to work in xPL. So either the dependency 
is incorrect or we're missing something in SPL. With a cursory look at 
it, it seems DM isn't required so maybe we can drop it.

Cheers,
Quentin