[PATCH v2 5/6] sunxi: extend binman FIT description for signed SPL images
Quentin Schulz
quentin.schulz at cherry.de
Thu May 7 13:30:21 CEST 2026
Hi Lukas,
On 5/1/26 12:33 AM, Lukas Schmid wrote:
> Extend the sunxi binman/FIT description to support signed SPL FIT
> images. Add an SPL public-key DTB image, per-image hash nodes,
> fit,sign support, and a configuration signature that covers
> firmware, loadables and the selected FDT.
>
> Handle TOC0 SPL output as well by adding the required filename and
> mkimage wrapping so the generated sunxi image remains verifiable.
>
I sympathize with the effort as I'd like something similar on Rockchip
but I don't think this is right.
> Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
> ---
> arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
> 1 file changed, 64 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
> index e1a9a7f5d4c..313fcad3922 100644
> --- a/arch/arm/dts/sunxi-u-boot.dtsi
> +++ b/arch/arm/dts/sunxi-u-boot.dtsi
> @@ -27,6 +27,38 @@
> #endif
>
> &binman {
> +#ifdef CONFIG_SPL_FIT_SIGNATURE
> + spl {
> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> + filename = "spl/u-boot-spl.bin";
> +#else
> + filename = "spl/sunxi-spl.bin";
> +#endif
> +
> + u-boot-spl-nodtb {
> + };
> +
You're missing
#if !IS_ENABLED(CONFIG_SPL_SEPARATE_BSS)
u-boot-spl-bss-pad {
};
#endif /* !CONFIG_SPL_SEPARATE_BSS */
here.
> + u-boot-spl-pubkey-dtb {
> + algo = "sha256,rsa2048";
> + required = "conf";
> + key-name-hint = "dev";
> + };
You're forcing the use of an RSA2048 key which is not recommended
nowadays anymore as far as I know. RSA4096 is "better" when using RSA.
This also forces the user to have a dev.crt certificate to be able to
build the image. It's not a secret or sensitive info so I guess that's fine.
> + };
> +
> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> + image {
> + filename = "spl/sunxi-spl.bin";
> +
> + mkimage {
> + args = "-a 0x20060 -T sunxi_toc0";
> + data-to-imagename;
> +
> + u-boot-spl {
> + };
> + };
> + };
> +#endif
> +#endif
> u-boot-sunxi-with-spl {
> filename = "u-boot-sunxi-with-spl.bin";
> pad-byte = <0xff>;
> @@ -45,6 +77,9 @@
> description = "Configuration to load U-Boot and firmware";
> #address-cells = <1>;
> fit,fdt-list = "of-list";
> +#ifdef CONFIG_SPL_FIT_SIGNATURE
> + fit,sign;
> +#endif
>
This requires the user to sign as part of building U-Boot and therefore
have access to the private key. Some users may want to sign separately
from their U-Boot building step such that building can be done anywhere
but signing is only done on specific infrastructure.
This also doesn't allow the user to use OpenSSL engines for signing (yes
engines are deprecated and replaced by providers, but the same likely
apply for providers once we'll support that).
You definitely need to document this somewhere, likely in
doc/board/allwinner?
I'll try to keep an eye on this and see if there's something we can take
for Rockchip as well :) But I don't know how to do this nicely and make
it "safer" to set up FIT signature verification for devices and avoid
common pitfalls or misconfigurations while still allowing out-of-build
signing and configuration of keys.
Cheers,
Quentin
More information about the U-Boot
mailing list