[PATCH v2 5/6] sunxi: extend binman FIT description for signed SPL images
Quentin Schulz
quentin.schulz at cherry.de
Fri May 8 16:02:51 CEST 2026
Hi Simon,
On 5/7/26 6:49 PM, Simon Glass wrote:
> Hi Lukas, Quentin,
>
> On Thu, 7 May 2026 at 05:30, Quentin Schulz <quentin.schulz at cherry.de> wrote:
>>
>> Hi Lukas,
>>
>> On 5/1/26 12:33 AM, Lukas Schmid wrote:
>>> Extend the sunxi binman/FIT description to support signed SPL FIT
>>> images. Add an SPL public-key DTB image, per-image hash nodes,
>>> fit,sign support, and a configuration signature that covers
>>> firmware, loadables and the selected FDT.
>>>
>>> Handle TOC0 SPL output as well by adding the required filename and
>>> mkimage wrapping so the generated sunxi image remains verifiable.
>>>
>>
>> I sympathize with the effort as I'd like something similar on Rockchip
>> but I don't think this is right.
>>
>>> Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
>>> ---
>>> arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
>>> 1 file changed, 64 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
>>> index e1a9a7f5d4c..313fcad3922 100644
>>> --- a/arch/arm/dts/sunxi-u-boot.dtsi
>>> +++ b/arch/arm/dts/sunxi-u-boot.dtsi
>>> @@ -27,6 +27,38 @@
>>> #endif
>>>
>>> &binman {
>>> +#ifdef CONFIG_SPL_FIT_SIGNATURE
>>> + spl {
>>> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
>>> + filename = "spl/u-boot-spl.bin";
>>> +#else
>>> + filename = "spl/sunxi-spl.bin";
>>> +#endif
>>> +
>>> + u-boot-spl-nodtb {
>>> + };
>>> +
>>
>> You're missing
>>
>> #if !IS_ENABLED(CONFIG_SPL_SEPARATE_BSS)
>> u-boot-spl-bss-pad {
>> };
>> #endif /* !CONFIG_SPL_SEPARATE_BSS */
>>
>> here.
>>
>>
>>> + u-boot-spl-pubkey-dtb {
>>> + algo = "sha256,rsa2048";
>>> + required = "conf";
>>> + key-name-hint = "dev";
>>> + };
>>
>> You're forcing the use of an RSA2048 key which is not recommended
>> nowadays anymore as far as I know. RSA4096 is "better" when using RSA.
>>
>> This also forces the user to have a dev.crt certificate to be able to
>> build the image. It's not a secret or sensitive info so I guess that's fine.
>>
>>> + };
>>> +
>>> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
>>> + image {
>>> + filename = "spl/sunxi-spl.bin";
>>> +
>>> + mkimage {
>>> + args = "-a 0x20060 -T sunxi_toc0";
>>> + data-to-imagename;
>>> +
>>> + u-boot-spl {
>>> + };
>>> + };
>>> + };
>>> +#endif
>>> +#endif
>>> u-boot-sunxi-with-spl {
>>> filename = "u-boot-sunxi-with-spl.bin";
>>> pad-byte = <0xff>;
>>> @@ -45,6 +77,9 @@
>>> description = "Configuration to load U-Boot and firmware";
>>> #address-cells = <1>;
>>> fit,fdt-list = "of-list";
>>> +#ifdef CONFIG_SPL_FIT_SIGNATURE
>>> + fit,sign;
>>> +#endif
>>>
>>
>> This requires the user to sign as part of building U-Boot and therefore
>> have access to the private key. Some users may want to sign separately
>> from their U-Boot building step such that building can be done anywhere
>> but signing is only done on specific infrastructure.
>
> I wonder if binman could help here, perhaps by providing an option
> (for CI) to skip signing if the file is missing?
>
If fit,sign is there, we should sign and not give an option to silence
fails. The fact we can have SPL_FIT_SIGNATURE enabled and not include
the pubkey in the SPL DTB is already big enough of a footgun, we
shouldn't add more 🙂
The thought I had a while ago was that we could simply have the whole
setup without fit,sign property during typical build workflow and then
sign with yet-unused info in the FIT Device Tree. Meaning the hash nodes
are added, in images/confs/both, with the expected key-name-hint and
all, but not signed (the pubkey can be inserted already if we have
access to it, but maybe it's stored in an HSM also, not always easy to
think about every possible scenario). So you generate an image with
pubkey in SPL DTB, and unsigned FIT as u-boot.itb. Then have mkimage or
binman run outside of the normal build workflow to sign required
artifacts in u-boot.itb. All the info for that is hopefully still in the
FIT Device Tree such that we can sign properly.
Cheers,
Quentin
More information about the U-Boot
mailing list