[v2,0/4] Improve FIT signature handling
Simon Glass
sjg at chromium.org
Thu May 7 17:31:51 CEST 2026
Hi Ludwig,
On Tue, 5 May 2026 at 06:39, Ludwig Nussel <ludwig.nussel at siemens.com> wrote:
>
> On 5/4/26 14:27, Simon Glass wrote:
> > Hi Ludwig,
> >
> > On 2026-04-30T12:25:59, Ludwig Nussel <ludwig.nussel at siemens.com> wrote:
> >
> >> (optionally) enforce signatures so we can't accidentally boot
> >> unsigned fit images.
> >
> > Thanks for tackling this - fail-open signature verification has bitten
> > people before, so making it opt-out is a good direction! A few
> > series-level points:
> >
> > test/py/tests/test_vboot.py exercises FIT signing end-to-end; please
> > extend it to cover FIT_SIGNATURE_REQUIRED in both the success and
> > fail-closed paths (no keys in the control DT, unsigned config).
> > fit_all_configurations_verify() added in patch 4 should also get a
> > test, ideally driven through iminfo so the command path is covered
> > too. I wonder if we should enable the option for just one of sandbox /
> > sandbox_flattree?
>
>
> Thanks for the review!
> I haven't touched tests at all so far, might take me a while to get into.
OK, let me know if you need help.
You might find this WIP tool helpful for running C and Python tests:
https://github.com/sjg20/uman
Regards,
Simon
More information about the U-Boot
mailing list