{"id":2231244,"url":"http://patchwork.ozlabs.org/api/patches/2231244/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260430142602.v2.3.6d1d5d14140677a76a7cd7bb99a9088d8c8f480c@changeid/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430142602.v2.3.6d1d5d14140677a76a7cd7bb99a9088d8c8f480c@changeid>","list_archive_url":null,"date":"2026-04-30T12:26:02","name":"[v2,3/4] image-fit-sig: Optionally require signatures","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d0fb8cdf014248ccabf2dcab2231c11bfac82edb","submitter":{"id":90265,"url":"http://patchwork.ozlabs.org/api/people/90265/?format=json","name":"Ludwig Nussel","email":"ludwig.nussel@siemens.com"},"delegate":{"id":3651,"url":"http://patchwork.ozlabs.org/api/users/3651/?format=json","username":"trini","first_name":"Tom","last_name":"Rini","email":"trini@ti.com"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260430142602.v2.3.6d1d5d14140677a76a7cd7bb99a9088d8c8f480c@changeid/mbox/","series":[{"id":502295,"url":"http://patchwork.ozlabs.org/api/series/502295/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=502295","date":"2026-04-30T12:25:59","name":"Improve FIT signature handling","version":2,"mbox":"http://patchwork.ozlabs.org/series/502295/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231244/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231244/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.a=rsa-sha256 header.s=fm2 header.b=eKjroxUJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=siemens.com header.i=ludwig.nussel@siemens.com\n header.b=\"eKjroxUJ\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=siemens.com","phobos.denx.de;\n spf=pass smtp.mailfrom=ludwig.nussel@siemens.com"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5thw3xqpz1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 22:27:12 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 42BB683693;\n\tThu, 30 Apr 2026 14:26:53 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 80B7984653; Thu, 30 Apr 2026 14:26:49 +0200 (CEST)","from mta-64-227.siemens.flowmailer.net\n (mta-64-227.siemens.flowmailer.net [185.136.64.227])\n (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 1083B803C6\n for <u-boot@lists.denx.de>; Thu, 30 Apr 2026 14:26:47 +0200 (CEST)","by mta-64-227.siemens.flowmailer.net with ESMTPSA id\n 2026043012264502a97dbc6300020768 for <u-boot@lists.denx.de>;\n Thu, 30 Apr 2026 14:26:45 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,\n SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;\n d=siemens.com; i=ludwig.nussel@siemens.com;\n h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;\n bh=jziaRR3Mg9eWFKurzeIyuFMjTQ7usuJt5DKktQIpI6k=;\n b=eKjroxUJIQ6dHagdCTBZhKD5G00ZobEQ4oRuOzsttdy0QYQ00Ood7pp487kPTtjT44vV+i\n 2h0pyZLo1GFpZB+6lK5Po6MyabenJmxTLrozaBa6qhBdgYPWpZedWkvYzxsbsTHMNxrSAemr\n hU11ceg/X9/VWl98GLUPVUOiGdE7uIeyAoSc6ESo6+NwskvpIFAO0CgU2VdimnGV3Xf1lEcB\n p0b6Z/kme1AzIuudPuuvtaDNVP/+PunLRQuAYVXNZNImIMYX054Olu+WMX9V3cSiJ6ds6YBv\n pzk2pL4PH6rA8SQJj7odsXkMqXoTOR87pe/OC7nUWwpDGy5e3lOWltSQ==;","From":"Ludwig Nussel <ludwig.nussel@siemens.com>","To":"u-boot@lists.denx.de","Cc":"Ludwig Nussel <ludwig.nussel@siemens.com>, Anshul Dalal <anshuld@ti.com>,\n George Chan <gchan9527@gmail.com>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>,\n \"Kory Maincent (TI.com)\" <kory.maincent@bootlin.com>,\n Martin Schwan <m.schwan@phytec.de>,\n Mattijs Korpershoek <mkorpershoek@kernel.org>, Peng Fan <peng.fan@nxp.com>,\n Quentin Schulz <quentin.schulz@cherry.de>, Simon Glass <sjg@chromium.org>,\n Tom Rini <trini@konsulko.com>","Subject":"[PATCH v2 3/4] image-fit-sig: Optionally require signatures","Date":"Thu, 30 Apr 2026 14:26:02 +0200","Message-ID":"\n <20260430142602.v2.3.6d1d5d14140677a76a7cd7bb99a9088d8c8f480c@changeid>","In-Reply-To":"<20260430122629.606153-1-ludwig.nussel@siemens.com>","References":"<20260430122629.606153-1-ludwig.nussel@siemens.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Flowmailer-Platform":"Siemens","Feedback-ID":"519:519-1328817:519-21489:flowmailer","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"If U-Boot is built with signature verification but no keys are\nincluded in the device tree, the boot would still continue.\nIntroduce FIT_SIGNATURE_REQUIRED to avoid a fail-open setup. The\ndefault is enabled which may break existing setups that rely on the\ninsecure behavior.\n\nSigned-off-by: Ludwig Nussel <ludwig.nussel@siemens.com>\n\n---\n\nChanges in v2:\n  - introduce FIT_SIGNATURE_REQUIRED\n\n boot/Kconfig         | 10 ++++++++++\n boot/image-fit-sig.c | 12 +++++++-----\n 2 files changed, 17 insertions(+), 5 deletions(-)","diff":"diff --git a/boot/Kconfig b/boot/Kconfig\nindex ae6f09a6ede..c90eae55a60 100644\n--- a/boot/Kconfig\n+++ b/boot/Kconfig\n@@ -124,6 +124,16 @@ config FIT_SIGNATURE\n \t  format support in this case, enable it using\n \t  CONFIG_LEGACY_IMAGE_FORMAT.\n \n+config FIT_SIGNATURE_REQUIRED\n+\tbool \"Require signature verification of FIT uImages\"\n+\tdepends on FIT_SIGNATURE\n+\tdefault y\n+\thelp\n+\t  This option requires that FIT uImages are signed. That\n+\t  means the U-Boot device tree must contain public keys for\n+\t  verification and all configuration sections must be signed\n+\t  using those keys.\n+\n config FIT_SIGNATURE_MAX_SIZE\n \thex \"Max size of signed FIT structures\"\n \tdepends on FIT_SIGNATURE\ndiff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c\nindex 433df20281f..9eabf33079b 100644\n--- a/boot/image-fit-sig.c\n+++ b/boot/image-fit-sig.c\n@@ -639,9 +639,11 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,\n \t/* Work out what we need to verify */\n \tkey_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME);\n \tif (key_node < 0) {\n-\t\tdebug(\"%s: No signature node found: %s\\n\", __func__,\n-\t\t      fdt_strerror(key_node));\n-\t\treturn 0;\n+\t\tlog_err(\"No signature node found: %s\\n\", fdt_strerror(key_node));\n+\t\tif (IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED))\n+\t\t\treturn -EPERM;\n+\t\telse\n+\t\t\treturn 0;\n \t}\n \n \t/* Get required-mode policy property from DTB */\n@@ -685,8 +687,8 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,\n \t\t}\n \t}\n \n-\tif (reqd_sigs && !verified) {\n-\t\tprintf(\"Failed to verify 'any' of the required signature(s)\\n\");\n+\tif ((reqd_sigs || IS_ENABLED(CONFIG_FIT_SIGNATURE_REQUIRED)) && !verified) {\n+\t\tlog_err(\"Failed to verify 'any' of the required signature(s)\\n\");\n \t\treturn -EPERM;\n \t}\n \n","prefixes":["v2","3/4"]}