{"id":2234222,"url":"http://patchwork.ozlabs.org/api/1.2/covers/2234222/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/cover/20260507120735.310325-1-ludwig.nussel@siemens.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.2/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260507120735.310325-1-ludwig.nussel@siemens.com>","list_archive_url":null,"date":"2026-05-07T12:06:21","name":"[v3,0/4] Improve FIT signature handling","submitter":{"id":90265,"url":"http://patchwork.ozlabs.org/api/1.2/people/90265/?format=json","name":"Ludwig Nussel","email":"ludwig.nussel@siemens.com"},"mbox":"http://patchwork.ozlabs.org/project/uboot/cover/20260507120735.310325-1-ludwig.nussel@siemens.com/mbox/","series":[{"id":503172,"url":"http://patchwork.ozlabs.org/api/1.2/series/503172/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=503172","date":"2026-05-07T12:06:22","name":"Improve FIT signature handling","version":3,"mbox":"http://patchwork.ozlabs.org/series/503172/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2234222/comments/","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.a=rsa-sha256 header.s=fm1 header.b=cycuWU5p;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.b=\"cycuWU5p\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=ludwig.nussel@siemens.com"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gB9xJ5bGBz1yCg\n\tfor ; Thu, 07 May 2026 22:07:48 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 1350A84AA4;\n\tThu, 7 May 2026 14:07:41 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id E748984AC8; Thu, 7 May 2026 14:07:39 +0200 (CEST)","from mta-64-228.siemens.flowmailer.net\n (mta-64-228.siemens.flowmailer.net [185.136.64.228])\n (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id BF3EE84A7D\n for ; Thu, 7 May 2026 14:07:37 +0200 (CEST)","by mta-64-228.siemens.flowmailer.net with ESMTPSA id\n 20260507120737c33b477dcc00020771 for ;\n Thu, 07 May 2026 14:07:37 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,\n SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;\n d=siemens.com; i=ludwig.nussel@siemens.com;\n h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc;\n bh=iLu+VUQQsVfH/akWgudpeXtrTrhi2p7DvUvCOr63Hvk=;\n b=cycuWU5py7qH1P9o+oXXUgUz7wh92wb/UgbNrHT11v7BNPyde9MEr/Z9aLhxgXir6uMFKS\n LT/oJTS24abZ8z0VsVjQ0sfLNkfipv4GEH9C6q6ilo0lPgJl0RBT1Fcr8cUPxq2SHraymwJV\n Njfk+ohzNwQVZ832dCqsl1DkyW+DGFXCtcJJq9PCscXyR3jBW/tD9/XDNYnB2XTHGFVBjl50\n Cuu7flXS8vQQ24wc5LJLyHR7/wyE9L4PO0nPo7uQM7gR3vqqAjgxFLBq1FEuKG6OfWP0CYrY\n MIH7jpnC/A0bySdDIOrabcJOPXu2vJupA8p3O7JLUgBNfDgOHALQ9Bsw==;","From":"Ludwig Nussel ","To":"u-boot@lists.denx.de","Cc":"Ludwig Nussel , Anshul Dalal\n , David Lechner , George Chan\n , Heinrich Schuchardt , Ilias\n Apalodimas , James Hilliard\n , Jonas Karlman , \"Kory\n Maincent (TI.com)\" , Kunihiko Hayashi\n , Marek Vasut\n , Martin Schwan ,\n Mattijs Korpershoek , Mayuresh Chitale\n , Neil Armstrong ,\n Osama Abdelkader , Patrice Chotard\n , Peng Fan , Quentin Schulz\n , Raymond Mao , Sam\n Protsenko , Shiji Yang\n , Simon Glass , Tom Rini\n , Tuomas Tynkkynen , Wolfgang\n Wallner , Yao Zi ","Subject":"[PATCH v3 0/4] Improve FIT signature handling","Date":"Thu, 7 May 2026 14:06:21 +0200","Message-ID":"<20260507120735.310325-1-ludwig.nussel@siemens.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Flowmailer-Platform":"Siemens","Feedback-ID":"519:519-1328817:519-21489:flowmailer","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"This patch series tries to improve dealing with FIT\n(configuration-)signatures a bit:\n - make signatures work with QEMU. QEMU brings it's own device tree at\n a memory address. U-Boot expects public keys in it's own DT though.\n So merge both.\n - (optionally) enforce signatures so we can't accidentally boot\n unsigned fit images. Quite an easy oversight, esp when qemu\n previously didn't even use the built in DT.\n - make iminfo verify configuration signatures, not just image hashes\n\nChanges in v3:\n- enable CONFIG_OF_OMIT_DTB=n in defconfig\n- add error returns\n- document decission about dt merging direction\n- make log_err use stdout too\n- clarify error message when no keys were found\n- change printfs to log_err\n- reword Kconfig\n- keep FIT_SIGNATURE_REQUIRED off by default\n- use log_err instead of printf in fit_config_verify_required_keys()\n- don't make iminfo fail unless FIT_SIGNATURE_REQUIRED is set\n- update fit_all_configurations_verify documentation\n- stub fit_all_configurations_verify unless FIT_SIGNATURES\n\nChanges in v2:\n- introduce FIT_SIGNATURE_REQUIRED\n- document fit_all_configurations_verify()\n\nLudwig Nussel (4):\n qemu: overlay signature nodes\n mkimage: define log_err and log_info\n image-fit-sig: Optionally require signatures\n iminfo: also verify signatures\n\n board/emulation/qemu-arm/qemu-arm.c | 50 ++++++++++++++++++++++++--\n boot/Kconfig | 10 ++++++\n boot/image-fit-sig.c | 22 +++++++-----\n boot/image-fit.c | 54 +++++++++++++++++++++++++++++\n boot/image-pre-load.c | 3 --\n cmd/bootm.c | 7 ++++\n configs/qemu_arm64_defconfig | 1 +\n include/image.h | 8 +++++\n tools/mkimage.h | 5 +++\n 9 files changed, 146 insertions(+), 14 deletions(-)"}