From: Michael Opdenacker <michael.opdenacker@rootcommit.com>
To: Francesco Valla <francesco@valla.it>,
yocto@lists.yoctoproject.org,
Quentin Schulz <quentin.schulz@cherry.de>
Cc: michael.opdenacker@rootcommit.com,
Vyacheslav Yurkov <uvv.mail@gmail.com>
Subject: Re: [yocto] FIT image verification not working on imx8mm
Date: Sun, 1 Mar 2026 10:01:18 +0000 (UTC) [thread overview]
Message-ID: <0ef10528-815f-466e-86bf-076c6ba64c14@rootcommit.com> (raw)
In-Reply-To: <1ceab5c2-fbf9-4d26-b052-48058c1c260d@rootcommit.com>
Hi Francesco, Quentin,
Thanks again for your help with this issue!
Some updates...
On 2/24/26 7:06 PM, Michael Opdenacker wrote:
> Hi Francesco
>
> Thanks for having a look at this issue and the corresponding code,
> much appreciated!
>
> On 2/22/26 11:33 PM, Francesco Valla wrote:
>>
>> If it is 1 (as it might be, as meta-freescale sets it to 1 for imx8m*
>> SoCs if the bootloader is not u-boot-imx [0]), the imx-boot container
>> is generated by U-Boot using binman, which however iis / should not be
>> able to use the u-boot.dtb binary with the signature. The injection of
>> the signature in fact happens on the u-boot.dtb binary only after this
>> has been deployed [1], which in this case would be *after* the imx-boot
>> blob has been generated.
What you found out really helped, and I ultimately found that I'm
supported to use the meta-toradex-security layer [1] which addresses
this need [2], along with other aspects of secure boot.
So, I tried to use its "main" branch together with the latest OE layers.
However, it turns out that Toradex only maintains their
"scarthgap-7.x.y" branch at the moment [3]. So, I'll switch back to my
original project on Scarthgap. If I understood correctly, I will have to:
- Inherit the "tdx-signed" global class
- Add this to my U-Boot recipe:
require recipes-bsp/u-boot/u-boot-fit-signature.inc
See
https://github.com/toradex/meta-toradex-security/blob/scarthgap-7.x.y/recipes-bsp/u-boot/u-boot-fit-signature.inc
for details.
This also automatically adds the needed config options to U-Boot:
https://github.com/toradex/meta-toradex-security/blob/scarthgap-7.x.y/recipes-bsp/u-boot/files/fit-signature.cfg
This corresponds to what you suggested, Quentin :)
I'll keep you posted.
Thanks again
Michael.
[1] https://github.com/toradex/meta-toradex-security
[2]
https://github.com/toradex/meta-toradex-security/blob/scarthgap-7.x.y/docs/README-secure-boot.md
[3] https://github.com/toradex/meta-toradex-security/pull/161
--
Root Commit
Embedded Linux Training and Consulting
https://rootcommit.com
prev parent reply other threads:[~2026-03-01 10:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 10:39 FIT image verification not working on imx8mm Michael Opdenacker
2026-02-22 8:30 ` [yocto] " Marco Cavallini
2026-02-22 13:50 ` Vyacheslav Yurkov
2026-02-22 16:07 ` Michael Opdenacker
2026-02-27 12:03 ` [yocto] " Quentin Schulz
2026-02-22 22:33 ` Francesco Valla
2026-02-24 18:06 ` Michael Opdenacker
2026-03-01 10:01 ` Michael Opdenacker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ef10528-815f-466e-86bf-076c6ba64c14@rootcommit.com \
--to=michael.opdenacker@rootcommit.com \
--cc=francesco@valla.it \
--cc=quentin.schulz@cherry.de \
--cc=uvv.mail@gmail.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.