[PATCH v2 5/6] sunxi: extend binman FIT description for signed SPL images
Simon Glass
sjg at chromium.org
Thu May 7 18:49:45 CEST 2026
Hi Lukas, Quentin,
On Thu, 7 May 2026 at 05:30, Quentin Schulz <quentin.schulz at cherry.de> wrote:
>
> Hi Lukas,
>
> On 5/1/26 12:33 AM, Lukas Schmid wrote:
> > Extend the sunxi binman/FIT description to support signed SPL FIT
> > images. Add an SPL public-key DTB image, per-image hash nodes,
> > fit,sign support, and a configuration signature that covers
> > firmware, loadables and the selected FDT.
> >
> > Handle TOC0 SPL output as well by adding the required filename and
> > mkimage wrapping so the generated sunxi image remains verifiable.
> >
>
> I sympathize with the effort as I'd like something similar on Rockchip
> but I don't think this is right.
>
> > Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
> > ---
> > arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
> > 1 file changed, 64 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
> > index e1a9a7f5d4c..313fcad3922 100644
> > --- a/arch/arm/dts/sunxi-u-boot.dtsi
> > +++ b/arch/arm/dts/sunxi-u-boot.dtsi
> > @@ -27,6 +27,38 @@
> > #endif
> >
> > &binman {
> > +#ifdef CONFIG_SPL_FIT_SIGNATURE
> > + spl {
> > +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> > + filename = "spl/u-boot-spl.bin";
> > +#else
> > + filename = "spl/sunxi-spl.bin";
> > +#endif
> > +
> > + u-boot-spl-nodtb {
> > + };
> > +
>
> You're missing
>
> #if !IS_ENABLED(CONFIG_SPL_SEPARATE_BSS)
> u-boot-spl-bss-pad {
> };
> #endif /* !CONFIG_SPL_SEPARATE_BSS */
>
> here.
>
>
> > + u-boot-spl-pubkey-dtb {
> > + algo = "sha256,rsa2048";
> > + required = "conf";
> > + key-name-hint = "dev";
> > + };
>
> You're forcing the use of an RSA2048 key which is not recommended
> nowadays anymore as far as I know. RSA4096 is "better" when using RSA.
>
> This also forces the user to have a dev.crt certificate to be able to
> build the image. It's not a secret or sensitive info so I guess that's fine.
>
> > + };
> > +
> > +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> > + image {
> > + filename = "spl/sunxi-spl.bin";
> > +
> > + mkimage {
> > + args = "-a 0x20060 -T sunxi_toc0";
> > + data-to-imagename;
> > +
> > + u-boot-spl {
> > + };
> > + };
> > + };
> > +#endif
> > +#endif
> > u-boot-sunxi-with-spl {
> > filename = "u-boot-sunxi-with-spl.bin";
> > pad-byte = <0xff>;
> > @@ -45,6 +77,9 @@
> > description = "Configuration to load U-Boot and firmware";
> > #address-cells = <1>;
> > fit,fdt-list = "of-list";
> > +#ifdef CONFIG_SPL_FIT_SIGNATURE
> > + fit,sign;
> > +#endif
> >
>
> This requires the user to sign as part of building U-Boot and therefore
> have access to the private key. Some users may want to sign separately
> from their U-Boot building step such that building can be done anywhere
> but signing is only done on specific infrastructure.
I wonder if binman could help here, perhaps by providing an option
(for CI) to skip signing if the file is missing?
>
> This also doesn't allow the user to use OpenSSL engines for signing (yes
> engines are deprecated and replaced by providers, but the same likely
> apply for providers once we'll support that).
>
> You definitely need to document this somewhere, likely in
> doc/board/allwinner?
>
> I'll try to keep an eye on this and see if there's something we can take
> for Rockchip as well :) But I don't know how to do this nicely and make
> it "safer" to set up FIT signature verification for devices and avoid
> common pitfalls or misconfigurations while still allowing out-of-build
> signing and configuration of keys.
Regards,
Simon
More information about the U-Boot
mailing list