{"id":2231605,"url":"http://patchwork.ozlabs.org/api/patches/2231605/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260430223319.2663939-6-lukas.schmid@netcube.li/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430223319.2663939-6-lukas.schmid@netcube.li>","list_archive_url":null,"date":"2026-04-30T22:33:04","name":"[v2,5/6] sunxi: extend binman FIT description for signed SPL images","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"754a9861a44d63dbd8bb0aec5740a7a5fe74230c","submitter":{"id":90004,"url":"http://patchwork.ozlabs.org/api/people/90004/?format=json","name":"Lukas Schmid","email":"lukas.schmid@netcube.li"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260430223319.2663939-6-lukas.schmid@netcube.li/mbox/","series":[{"id":502402,"url":"http://patchwork.ozlabs.org/api/series/502402/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=502402","date":"2026-04-30T22:32:59","name":"sunxi: add NetCube Nagami support and T113 secure boot enablement","version":2,"mbox":"http://patchwork.ozlabs.org/series/502402/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231605/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231605/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=netcube.li header.i=@netcube.li header.a=rsa-sha256\n header.s=s1 header.b=Of7Fdkyr;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=netcube.li","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=netcube.li header.i=@netcube.li header.b=\"Of7Fdkyr\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=netcube.li","phobos.denx.de;\n spf=pass smtp.mailfrom=lukas.schmid@netcube.li"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g689G2zZTz1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 08:34:10 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 7CBBF844CF;\n\tFri,  1 May 2026 00:33:54 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 1BB228460D; Fri,  1 May 2026 00:33:52 +0200 (CEST)","from mail.netcube.li (mail.netcube.li [173.249.15.149])\n (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 2925D845C8\n for <u-boot@lists.denx.de>; Fri,  1 May 2026 00:33:50 +0200 (CEST)","from lukas-hpz440workstation.lan.sk100508.local\n (193-80-178-216.hdsl.highway.telekom.at [193.80.178.216])\n by mail.netcube.li with ESMTPA ; Fri, 1 May 2026 00:33:48 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","dkim-signature":"v=1; a=rsa-sha256; d=netcube.li; s=s1;\n c=relaxed/relaxed; q=dns/txt;\n h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References;\n bh=WqS98PaNxS2RmnM1eHM++iejeGjh5scYoEE4+zGI1Is=;\n b=Of7Fdkyr4eZ+FFXFlct4UToKkjXkLTC4TRONgyJjWe7ASqS4huA9hf8kI9Q6YO7BpjpYdmWMWQmJCkEu8pEw8szNZF7TM0dA9C9SoTiQukJENacyaWgb5NXPRNCHNcMVcA2zrvQ1NgOBT7DOUOACRxBkR5cH6hXUcLxci3zjnb0=","From":"Lukas Schmid <lukas.schmid@netcube.li>","To":"Andre Przywara <andre.przywara@arm.com>, Tom Rini <trini@konsulko.com>,\n Hans de Goede <hdegoede@redhat.com>,\n Jerome Forissier <jerome.forissier@arm.com>","Cc":"Lukas Schmid <lukas.schmid@netcube.li>,\n\tu-boot@lists.denx.de","Subject":"[PATCH v2 5/6] sunxi: extend binman FIT description for signed SPL\n images","Date":"Fri,  1 May 2026 00:33:04 +0200","Message-ID":"<20260430223319.2663939-6-lukas.schmid@netcube.li>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260430223319.2663939-1-lukas.schmid@netcube.li>","References":"<20260430223319.2663939-1-lukas.schmid@netcube.li>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Extend the sunxi binman/FIT description to support signed SPL FIT\nimages. Add an SPL public-key DTB image, per-image hash nodes,\nfit,sign support, and a configuration signature that covers\nfirmware, loadables and the selected FDT.\n\nHandle TOC0 SPL output as well by adding the required filename and\nmkimage wrapping so the generated sunxi image remains verifiable.\n\nSigned-off-by: Lukas Schmid <lukas.schmid@netcube.li>\n---\n arch/arm/dts/sunxi-u-boot.dtsi | 68 ++++++++++++++++++++++++++++++++--\n 1 file changed, 64 insertions(+), 4 deletions(-)","diff":"diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi\nindex e1a9a7f5d4c..313fcad3922 100644\n--- a/arch/arm/dts/sunxi-u-boot.dtsi\n+++ b/arch/arm/dts/sunxi-u-boot.dtsi\n@@ -27,6 +27,38 @@\n #endif\n \n &binman {\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\tspl {\n+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0\n+\t\tfilename = \"spl/u-boot-spl.bin\";\n+#else\n+\t\tfilename = \"spl/sunxi-spl.bin\";\n+#endif\n+\n+\t\tu-boot-spl-nodtb {\n+\t\t};\n+\n+\t\tu-boot-spl-pubkey-dtb {\n+\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\trequired = \"conf\";\n+\t\t\tkey-name-hint = \"dev\";\n+\t\t};\n+\t};\n+\n+#ifdef CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0\n+\timage {\n+\t\tfilename = \"spl/sunxi-spl.bin\";\n+\n+\t\tmkimage {\n+\t\t\targs = \"-a 0x20060 -T sunxi_toc0\";\n+\t\t\tdata-to-imagename;\n+\n+\t\t\tu-boot-spl {\n+\t\t\t};\n+\t\t};\n+\t};\n+#endif\n+#endif\n \tu-boot-sunxi-with-spl {\n \t\tfilename = \"u-boot-sunxi-with-spl.bin\";\n \t\tpad-byte = <0xff>;\n@@ -45,6 +77,9 @@\n \t\t\tdescription = \"Configuration to load U-Boot and firmware\";\n \t\t\t#address-cells = <1>;\n \t\t\tfit,fdt-list = \"of-list\";\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\tfit,sign;\n+#endif\n \n \t\t\timages {\n \t\t\t\tuboot {\n@@ -60,6 +95,11 @@\n \n \t\t\t\t\tu-boot-nodtb {\n \t\t\t\t\t};\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+#endif\n \t\t\t\t};\n \n #if CONFIG_SUNXI_BL31_BASE\n@@ -76,6 +116,11 @@\n \t\t\t\t\t\tfilename = \"bl31.bin\";\n \t\t\t\t\t\tmissing-msg = \"atf-bl31-sunxi\";\n \t\t\t\t\t};\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+#endif\n \t\t\t\t};\n #endif\n \n@@ -92,6 +137,11 @@\n \t\t\t\t\t\tmissing-msg = \"scp-sunxi\";\n \t\t\t\t\t\toptional;\n \t\t\t\t\t};\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+#endif\n \t\t\t\t};\n #endif\n \n@@ -99,6 +149,11 @@\n \t\t\t\t\tdescription = \"NAME\";\n \t\t\t\t\ttype = \"flat_dt\";\n \t\t\t\t\tcompression = \"none\";\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\t\t\thash {\n+\t\t\t\t\t\talgo = \"sha256\";\n+\t\t\t\t\t};\n+#endif\n \t\t\t\t};\n \t\t\t};\n \n@@ -108,16 +163,21 @@\n \t\t\t\t@config-SEQ {\n \t\t\t\t\tdescription = \"NAME\";\n #if CONFIG_SUNXI_BL31_BASE\n-\t\t\t\t\tfirmware = \"atf\";\n+\t\t\t\t\tfirmware = \"atf\", \"uboot\";\n #else\n \t\t\t\t\tfirmware = \"uboot\";\n #endif\n #if CONFIG_SUNXI_SCP_BASE\n-\t\t\t\t\tloadables = \"scp\", \"uboot\";\n-#else\n-\t\t\t\t\tloadables = \"uboot\";\n+\t\t\t\t\tloadables = \"scp\";\n #endif\n \t\t\t\t\tfdt = \"fdt-SEQ\";\n+#ifdef CONFIG_SPL_FIT_SIGNATURE\n+\t\t\t\t\tsignature {\n+\t\t\t\t\t\talgo = \"sha256,rsa2048\";\n+\t\t\t\t\t\tkey-name-hint = \"dev\";\n+\t\t\t\t\t\tsign-images = \"firmware\", \"loadables\", \"fdt\";\n+\t\t\t\t\t};\n+#endif\n \t\t\t\t};\n \t\t\t};\n \t\t};\n","prefixes":["v2","5/6"]}