{"id":2231607,"url":"http://patchwork.ozlabs.org/api/patches/2231607/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260430223319.2663939-5-lukas.schmid@netcube.li/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430223319.2663939-5-lukas.schmid@netcube.li>","list_archive_url":null,"date":"2026-04-30T22:33:03","name":"[v2,4/6] boot: allow SPL FIT signature verification without DM","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"5dd94e212cc7bdab3f83f68392c9b9302a88aca6","submitter":{"id":90004,"url":"http://patchwork.ozlabs.org/api/people/90004/?format=json","name":"Lukas Schmid","email":"lukas.schmid@netcube.li"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260430223319.2663939-5-lukas.schmid@netcube.li/mbox/","series":[{"id":502402,"url":"http://patchwork.ozlabs.org/api/series/502402/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=502402","date":"2026-04-30T22:32:59","name":"sunxi: add NetCube Nagami support and T113 secure boot enablement","version":2,"mbox":"http://patchwork.ozlabs.org/series/502402/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231607/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231607/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=netcube.li header.i=@netcube.li header.a=rsa-sha256\n header.s=s1 header.b=o0brG4SN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=netcube.li","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=netcube.li header.i=@netcube.li header.b=\"o0brG4SN\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=netcube.li","phobos.denx.de;\n spf=pass smtp.mailfrom=lukas.schmid@netcube.li"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g689l4Z2xz1yJv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 08:34:35 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id CA5858460C;\n\tFri,  1 May 2026 00:33:55 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id EAE06845C8; Fri,  1 May 2026 00:33:53 +0200 (CEST)","from mail.netcube.li (mail.netcube.li [173.249.15.149])\n (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id B22CD84198\n for <u-boot@lists.denx.de>; Fri,  1 May 2026 00:33:50 +0200 (CEST)","from lukas-hpz440workstation.lan.sk100508.local\n (193-80-178-216.hdsl.highway.telekom.at [193.80.178.216])\n by mail.netcube.li with ESMTPA ; Fri, 1 May 2026 00:33:46 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2","dkim-signature":"v=1; a=rsa-sha256; d=netcube.li; s=s1;\n c=relaxed/relaxed; q=dns/txt;\n h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References;\n bh=Zq0qmAlMWxTJOYcL3mW4bjKwgi3QCMcSHdbIEEhZnxM=;\n b=o0brG4SNOwWECFOyE1lpf/+JvUxIuXC63a6llMpCHU/MyphGROJUg9ZirqPmaT6cxheMLGFp9AAOYGh7lsWvjgT0F06PiRpb0EYhxX7X47wxFIPt6k81EKMMJP1hNEj07VjhBNjG3vF5q9r15hQdCmXFBfiDq+MGyWc9wi20qwA=","From":"Lukas Schmid <lukas.schmid@netcube.li>","To":"Andre Przywara <andre.przywara@arm.com>, Tom Rini <trini@konsulko.com>,\n Hans de Goede <hdegoede@redhat.com>,\n Jerome Forissier <jerome.forissier@arm.com>","Cc":"Lukas Schmid <lukas.schmid@netcube.li>,\n\tu-boot@lists.denx.de","Subject":"[PATCH v2 4/6] boot: allow SPL FIT signature verification without DM","Date":"Fri,  1 May 2026 00:33:03 +0200","Message-ID":"<20260430223319.2663939-5-lukas.schmid@netcube.li>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260430223319.2663939-1-lukas.schmid@netcube.li>","References":"<20260430223319.2663939-1-lukas.schmid@netcube.li>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"SPL FIT verification was effectively tied to Driver Model. The RSA\nverifier assumed a DM-backed modexp device, and SPL_FIT_SIGNATURE\ndepended on SPL_DM. This prevents non-DM SPL platforms from using\nFIT signature verification even though the software modular exponent\nfallback is already available.\n\nDrop the hard SPL_DM dependency and only look up the modexp device\nwhen DM is enabled. Non-DM SPL builds then fall back to the software\nimplementation and can enable signed FIT verification.\n\nSigned-off-by: Lukas Schmid <lukas.schmid@netcube.li>\n---\n boot/Kconfig         |  1 -\n lib/rsa/rsa-verify.c | 16 ++++++++++------\n 2 files changed, 10 insertions(+), 7 deletions(-)","diff":"diff --git a/boot/Kconfig b/boot/Kconfig\nindex 4e9bc9491a0..6ccb7d44a5e 100644\n--- a/boot/Kconfig\n+++ b/boot/Kconfig\n@@ -202,7 +202,6 @@ config SPL_FIT_FULL_CHECK\n \n config SPL_FIT_SIGNATURE\n \tbool \"Enable signature verification of FIT firmware within SPL\"\n-\tdepends on SPL_DM\n \tdepends on SPL_LOAD_FIT\n \tselect FIT_SIGNATURE\n \tselect SPL_FIT\ndiff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c\nindex 3169c3a6dd1..24b23ab565a 100644\n--- a/lib/rsa/rsa-verify.c\n+++ b/lib/rsa/rsa-verify.c\n@@ -355,13 +355,17 @@ static int rsa_verify_key(struct image_sign_info *info,\n \thash_len = checksum->checksum_len;\n \n #if !defined(USE_HOSTCC)\n-\tret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);\n-\tif (ret) {\n-\t\tprintf(\"RSA: Can't find Modular Exp implementation\\n\");\n-\t\treturn -EINVAL;\n-\t}\n+\tif (CONFIG_IS_ENABLED(DM)) {\n+\t\tret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);\n+\t\tif (ret) {\n+\t\t\tprintf(\"RSA: Can't find Modular Exp implementation\\n\");\n+\t\t\treturn -EINVAL;\n+\t\t}\n \n-\tret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);\n+\t\tret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);\n+\t} else {\n+\t\tret = rsa_mod_exp_sw(sig, sig_len, prop, buf);\n+\t}\n #else\n \tret = rsa_mod_exp_sw(sig, sig_len, prop, buf);\n #endif\n","prefixes":["v2","4/6"]}