Yes, it is possible to do this. The SPL will check its own DTB to check which
signatures are required.
When the FIT that the SPL will load is created with mkimage, you also pass the
SPL's dtb file, which will be patched to include the required signatures.
I am not sure if the config system has ability to specify this. My build
process separates the signing from the normal uboot build (so that I can keep
the private keys more secure), so I am manually calling mkimage. The command I
am using to generate my second stage signed u-boot FIT file which is loaded by
SPL:
mkimage -f uboot.its -K u-boot-spl.dtb -k keys -r u-boot.fit
The updated u-boot-spl.dtb needs to be available for the SPL to load at startup
- often by appending this dtb to the end of the SPL binary. In my case I do
this:
cat u-boot-spl-nodtb.bin u-boot-spl-pad.bin u-boot-spl.dtb > u-boot-spl.bin
-----Original Message-----
From: U-Boot <u-boot-boun...@lists.denx.de> On Behalf Of Andrii Voloshyn
Sent: Saturday, 12 September 2020 12:18 am
To: u-boot <u-boot@lists.denx.de>
Subject: SPL FIT configuration signature verification
Hi there,
Is it possible to make SPL U-Boot to verify signature located in
configuration section of FIT image, and do not continue in case the signature
is missing or doesn't match?
Asking because I couldn't find any configuration option for that, and I have
FIT image with signature but SPL U-boot doesn't check it at all, it only checks
signatures for images if present.
Thanks
Cheers,
Andy
