[PATCH v2 5/6] sunxi: extend binman FIT description for signed SPL images

Fri May 8 20:12:32 CEST 2026

Hi Quentin,

On Fri, 8 May 2026 at 08:02, Quentin Schulz <quentin.schulz at cherry.de> wrote:
>
> Hi Simon,
>
> On 5/7/26 6:49 PM, Simon Glass wrote:
> > Hi Lukas, Quentin,
> >
> > On Thu, 7 May 2026 at 05:30, Quentin Schulz <quentin.schulz at cherry.de> wrote:
> >>
> >> Hi Lukas,
> >>
> >> On 5/1/26 12:33 AM, Lukas Schmid wrote:
> >>> Extend the sunxi binman/FIT description to support signed SPL FIT
> >>> images. Add an SPL public-key DTB image, per-image hash nodes,
> >>> fit,sign support, and a configuration signature that covers
> >>> firmware, loadables and the selected FDT.
> >>>
> >>> Handle TOC0 SPL output as well by adding the required filename and
> >>> mkimage wrapping so the generated sunxi image remains verifiable.
> >>>
> >>
> >> I sympathize with the effort as I'd like something similar on Rockchip
> >> but I don't think this is right.
> >>
> >>> Signed-off-by: Lukas Schmid <lukas.schmid at netcube.li>
> >>> ---
> >>>    arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--
> >>>    1 file changed, 64 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
> >>> index e1a9a7f5d4c..313fcad3922 100644
> >>> --- a/arch/arm/dts/sunxi-u-boot.dtsi
> >>> +++ b/arch/arm/dts/sunxi-u-boot.dtsi
> >>> @@ -27,6 +27,38 @@
> >>>    #endif
> >>>
> >>>    &binman {
> >>> +#ifdef CONFIG_SPL_FIT_SIGNATURE
> >>> +     spl {
> >>> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> >>> +             filename = "spl/u-boot-spl.bin";
> >>> +#else
> >>> +             filename = "spl/sunxi-spl.bin";
> >>> +#endif
> >>> +
> >>> +             u-boot-spl-nodtb {
> >>> +             };
> >>> +
> >>
> >> You're missing
> >>
> >> #if !IS_ENABLED(CONFIG_SPL_SEPARATE_BSS)
> >>                           u-boot-spl-bss-pad {
> >>                           };
> >> #endif /* !CONFIG_SPL_SEPARATE_BSS */
> >>
> >> here.
> >>
> >>
> >>> +             u-boot-spl-pubkey-dtb {
> >>> +                     algo = "sha256,rsa2048";
> >>> +                     required = "conf";
> >>> +                     key-name-hint = "dev";
> >>> +             };
> >>
> >> You're forcing the use of an RSA2048 key which is not recommended
> >> nowadays anymore as far as I know. RSA4096 is "better" when using RSA.
> >>
> >> This also forces the user to have a dev.crt certificate to be able to
> >> build the image. It's not a secret or sensitive info so I guess that's fine.
> >>
> >>> +     };
> >>> +
> >>> +#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0
> >>> +     image {
> >>> +             filename = "spl/sunxi-spl.bin";
> >>> +
> >>> +             mkimage {
> >>> +                     args = "-a 0x20060 -T sunxi_toc0";
> >>> +                     data-to-imagename;
> >>> +
> >>> +                     u-boot-spl {
> >>> +                     };
> >>> +             };
> >>> +     };
> >>> +#endif
> >>> +#endif
> >>>        u-boot-sunxi-with-spl {
> >>>                filename = "u-boot-sunxi-with-spl.bin";
> >>>                pad-byte = <0xff>;
> >>> @@ -45,6 +77,9 @@
> >>>                        description = "Configuration to load U-Boot and firmware";
> >>>                        #address-cells = <1>;
> >>>                        fit,fdt-list = "of-list";
> >>> +#ifdef CONFIG_SPL_FIT_SIGNATURE
> >>> +                     fit,sign;
> >>> +#endif
> >>>
> >>
> >> This requires the user to sign as part of building U-Boot and therefore
> >> have access to the private key. Some users may want to sign separately
> >> from their U-Boot building step such that building can be done anywhere
> >> but signing is only done on specific infrastructure.
> >
> > I wonder if binman could help here, perhaps by providing an option
> > (for CI) to skip signing if the file is missing?
> >
>
> If fit,sign is there, we should sign and not give an option to silence
> fails. The fact we can have SPL_FIT_SIGNATURE enabled and not include
> the pubkey in the SPL DTB is already big enough of a footgun, we
> shouldn't add more 🙂

Sure...I'm not suggesting that the build should succeed though...a bit
like how we have 'buildman --allow-missing'. It's just a wacky idea so
that we can avoid needing special cases everywhere.

>
> The thought I had a while ago was that we could simply have the whole
> setup without fit,sign property during typical build workflow and then
> sign with yet-unused info in the FIT Device Tree. Meaning the hash nodes
> are added, in images/confs/both, with the expected key-name-hint and
> all, but not signed (the pubkey can be inserted already if we have
> access to it, but maybe it's stored in an HSM also, not always easy to
> think about every possible scenario). So you generate an image with
> pubkey in SPL DTB, and unsigned FIT as u-boot.itb. Then have mkimage or
> binman run outside of the normal build workflow to sign required
> artifacts in u-boot.itb. All the info for that is hopefully still in the
> FIT Device Tree such that we can sign properly.

Yes I thought we had that feature somewhere but can't remember where.
It might have been my imagination.

Regards,
Simon