[PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images

[PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images

[Marta Rybczynska]

From: Marta Rybczynska <rybczynska@gmail.com>

The SPL FIT signing path was signing individual images, but not the configuration.

Introduce signing of configuration with images under a separate option SPL_SIGN_CONF,
enabled by default. It implies changes in the DTB content.

The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be removed in
a subsequent patch.

Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 77 ++++++++++++++++++++++++--
 1 file changed, 73 insertions(+), 4 deletions(-)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 9cb5c6ccf3..d8e7252cc3 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -34,6 +34,16 @@ UBOOT_FITIMAGE_ENABLE ?= "0"
 # Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1"
 SPL_SIGN_ENABLE ?= "0"
 
+# Sign the FIT configuration in the SPL signing flow. Configuration
+# signatures bind the selected images and boot metadata together.
+SPL_SIGN_CONF ?= "1"
+
+# Legacy compatibility knob for per-image signatures in the SPL FIT path.
+# Individual image signatures do not protect the configuration metadata
+# which selects and parameterizes the boot images.
+# INSECURE, use at your own risk
+SPL_SIGN_INDIVIDUAL ?= "0"
+
 # Default value for deployment filenames.
 UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
 UBOOT_DTB_BINARY ?= "u-boot.dtb"
@@ -325,7 +335,15 @@ uboot_fitimage_atf() {
             entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>;
             compression = "none";
 EOF
-	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+            hash-1 {
+                algo = "${UBOOT_FIT_HASH_ALG}";
+            };
+EOF
+	fi
+
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then
 		cat << EOF >> ${UBOOT_ITS}
             signature {
                 algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
@@ -352,7 +370,15 @@ uboot_fitimage_tee() {
             entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>;
             compression = "none";
 EOF
-	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+            hash-1 {
+                algo = "${UBOOT_FIT_HASH_ALG}";
+            };
+EOF
+	fi
+
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then
 		cat << EOF >> ${UBOOT_ITS}
             signature {
                 algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
@@ -393,7 +419,15 @@ uboot_fitimage_assemble() {
             entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>;
 EOF
 
-	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+            hash-1 {
+                algo = "${UBOOT_FIT_HASH_ALG}";
+            };
+EOF
+	fi
+
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then
 		cat << EOF >> ${UBOOT_ITS}
             signature {
                 algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
@@ -412,7 +446,15 @@ EOF
             compression = "none";
 EOF
 
-	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+            hash-1 {
+                algo = "${UBOOT_FIT_HASH_ALG}";
+            };
+EOF
+	fi
+
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then
 		cat << EOF >> ${UBOOT_ITS}
             signature {
                 algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
@@ -442,8 +484,10 @@ EOF
 		conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}"
 	fi
 
+	conf_sign_images='"loadables", "fdt"'
 	if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then
 		conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";"
+		conf_sign_images='"firmware", "loadables", "fdt"'
 	fi
 
 	cat << EOF >> ${UBOOT_ITS}
@@ -456,6 +500,19 @@ EOF
             ${conf_firmware}
             loadables = ${conf_loadables};
             fdt = "fdt";
+EOF
+
+	if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then
+		cat << EOF >> ${UBOOT_ITS}
+            signature {
+                algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}";
+                key-name-hint = "${SPL_SIGN_KEYNAME}";
+                sign-images = ${conf_sign_images};
+            };
+EOF
+	fi
+
+	cat << EOF >> ${UBOOT_ITS}
         };
     };
 };
@@ -470,6 +527,18 @@ EOF
 		${UBOOT_FITIMAGE_BINARY}
 
 	if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
+		if [ "${SPL_SIGN_CONF}" != "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" != "1" ] ; then
+			bbfatal "SPL_SIGN_ENABLE=1 requires SPL_SIGN_CONF=1 or SPL_SIGN_INDIVIDUAL=1"
+		fi
+
+		if [ "${SPL_SIGN_CONF}" != "1" ] ; then
+			bbwarn "SPL_SIGN_CONF is disabled. FIT configuration signing is recommended for SPL verified boot."
+		fi
+
+		if [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then
+			bbwarn "SPL_SIGN_INDIVIDUAL=1 is enabled for compatibility only. It is INSECURE. Individual image signatures do not replace configuration signing."
+		fi
+
 		if [ -n "${SPL_DTB_BINARY}" ] ; then
 			#
 			# Sign the U-boot FIT image and add public key to SPL dtb
-- 
2.47.3

[PATCH v2 2/2] oe-selftest: fitimage: support new schema for uboot configuration signing

[Marta Rybczynska]

From: Marta Rybczynska <rybczynska@gmail.com>

Modify testcases after adding signing of a configuration of uboot instead
of various sections separately.

This change includes an additional parameter to _check_signing that allows
more flexible configuration and avoids assumptions on what section has,
and which section does not have a signature - now they are defined
in a data structure.

Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
---
 meta/lib/oeqa/selftest/cases/fitimage.py | 53 +++++++++++++++---------
 1 file changed, 34 insertions(+), 19 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 3541c07520..ad523e93c1 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -365,7 +365,7 @@ class FitImageTestCase(OESelftestTestCase):
         self._is_req_dict_in_dict(sections, req_sections)
 
         # Call the signing related checks if the function is provided by a inherited class
-        self._check_signing(bb_vars, sections, num_signatures, uboot_tools_bindir, fitimage_path)
+        self._check_signing(bb_vars, sections, req_sections, num_signatures, uboot_tools_bindir, fitimage_path)
 
     def _get_req_its_paths(self, bb_vars):
         self.logger.error("This function needs to be implemented")
@@ -387,7 +387,7 @@ class FitImageTestCase(OESelftestTestCase):
         self.logger.error("This function needs to be implemented")
         return ({}, 0)
 
-    def _check_signing(self, bb_vars, sections, num_signatures, uboot_tools_bindir, fitimage_path):
+    def _check_signing(self, bb_vars, sections, req_sections, num_signatures, uboot_tools_bindir, fitimage_path):
         """Verify the signatures in the FIT image."""
         self.fail("Function needs to be implemented by inheriting classes")
 
@@ -789,7 +789,7 @@ class KernelFitImageBase(FitImageTestCase):
                     num_signatures += 1
         return (req_sections, num_signatures)
 
-    def _check_signing(self, bb_vars, sections, num_signatures, uboot_tools_bindir, fitimage_path):
+    def _check_signing(self, bb_vars, sections, req_sections, num_signatures, uboot_tools_bindir, fitimage_path):
         """Verify the signature nodes in the FIT image"""
         if bb_vars['UBOOT_SIGN_ENABLE'] == "1":
             self.logger.debug("Verifying signatures in the FIT image")
@@ -809,6 +809,8 @@ class KernelFitImageBase(FitImageTestCase):
         for section, values in sections.items():
             # Configuration nodes are always signed with UBOOT_SIGN_KEYNAME (if UBOOT_SIGN_ENABLE = "1")
             if section.startswith(bb_vars['FIT_CONF_PREFIX']):
+                if 'Sign algo' not in req_values[section]:
+                    continue
                 sign_algo = values.get('Sign algo', None)
                 req_sign_algo = "%s,%s:%s" % (fit_hash_alg, fit_sign_alg, uboot_sign_keyname)
                 self.assertEqual(sign_algo, req_sign_algo, 'Signature algorithm for %s not expected value' % section)
@@ -1329,6 +1331,8 @@ class UBootFitImageTests(FitImageTestCase):
             'SPL_MKIMAGE_SIGN_ARGS',
             'SPL_SIGN_ENABLE',
             'SPL_SIGN_KEYNAME',
+            'SPL_SIGN_INDIVIDUAL',
+            'SPL_SIGN_CONF',
             'UBOOT_ARCH',
             'UBOOT_DTB_BINARY',
             'UBOOT_DTB_IMAGE',
@@ -1382,10 +1386,14 @@ class UBootFitImageTests(FitImageTestCase):
         req_its_paths = []
         for image in images:
             req_its_paths.append(['/', 'images', image])
-            if bb_vars['SPL_SIGN_ENABLE'] == "1":
+            if bb_vars['SPL_SIGN_ENABLE'] == "1" and bb_vars['SPL_SIGN_INDIVIDUAL'] == "1":
                 req_its_paths.append(['/', 'images', image, 'signature'])
+            elif bb_vars['SPL_SIGN_ENABLE'] == "1" and bb_vars['SPL_SIGN_CONF'] == "1":
+                req_its_paths.append(['/', 'images', image, 'hash-1'])
         for configuration in configurations:
             req_its_paths.append(['/', 'configurations', configuration])
+            if bb_vars['SPL_SIGN_ENABLE'] == "1" and bb_vars['SPL_SIGN_CONF'] == "1":
+                req_its_paths.append(['/', 'configurations', 'conf', 'signature'])
         return (req_its_paths, [])
 
     def _get_req_its_fields(self, bb_vars):
@@ -1493,16 +1501,26 @@ class UBootFitImageTests(FitImageTestCase):
         uboot_fit_sign_alg = bb_vars['UBOOT_FIT_SIGN_ALG']
         spl_sign_enable = bb_vars['SPL_SIGN_ENABLE']
         spl_sign_keyname = bb_vars['SPL_SIGN_KEYNAME']
+        spl_sign_conf = bb_vars['SPL_SIGN_CONF']
+        spl_sign_individual = bb_vars['SPL_SIGN_INDIVIDUAL']
         num_signatures = 0
         if spl_sign_enable == "1":
             for section in req_sections:
-                if not section.startswith('conf'):
-                    req_sections[section]['Sign algo'] = "%s,%s:%s" % \
-                        (uboot_fit_hash_alg, uboot_fit_sign_alg, spl_sign_keyname)
-                    num_signatures += 1
+                if section.startswith('conf'):
+                    if spl_sign_conf == "1":
+                        req_sections[section]['Sign algo'] = "%s,%s:%s" % \
+                            (uboot_fit_hash_alg, uboot_fit_sign_alg, spl_sign_keyname)
+                        num_signatures += 1
+                else:
+                    if spl_sign_conf == "1":
+                        req_sections[section]['Hash algo'] = uboot_fit_hash_alg
+                    elif spl_sign_individual == "1":
+                        req_sections[section]['Sign algo'] = "%s,%s:%s" % \
+                            (uboot_fit_hash_alg, uboot_fit_sign_alg, spl_sign_keyname)
+                        num_signatures += 1
         return (req_sections, num_signatures)
 
-    def  _check_signing(self, bb_vars, sections, num_signatures, uboot_tools_bindir, fitimage_path):
+    def  _check_signing(self, bb_vars, sections, req_sections, num_signatures, uboot_tools_bindir, fitimage_path):
         if bb_vars['UBOOT_FITIMAGE_ENABLE'] == '1' and bb_vars['SPL_SIGN_ENABLE'] == "1":
             self.logger.debug("Verifying signatures in the FIT image")
         else:
@@ -1515,16 +1533,13 @@ class UBootFitImageTests(FitImageTestCase):
         fit_sign_alg_len = FitImageTestCase.MKIMAGE_SIGNATURE_LENGTHS[uboot_fit_sign_alg]
         for section, values in sections.items():
             # Configuration nodes are always signed with UBOOT_SIGN_KEYNAME (if UBOOT_SIGN_ENABLE = "1")
-            if section.startswith("conf"):
-                # uboot-sign does not sign configuration nodes
-                pass
-            else:
-                # uboot-sign does not add hash nodes, only image signatures
-                sign_algo = values.get('Sign algo', None)
-                req_sign_algo = "%s,%s:%s" % (uboot_fit_hash_alg, uboot_fit_sign_alg, spl_sign_keyname)
-                self.assertEqual(sign_algo, req_sign_algo, 'Signature algorithm for %s not expected value' % section)
-                sign_value = values.get('Sign value', None)
-                self.assertEqual(len(sign_value), fit_sign_alg_len, 'Signature value for section %s not expected length' % section)
+            if 'Sign algo' not in req_sections[section]:
+               continue
+            sign_algo = values.get('Sign algo', None)
+            req_sign_algo = "%s,%s:%s" % (uboot_fit_hash_alg, uboot_fit_sign_alg, spl_sign_keyname)
+            self.assertEqual(sign_algo, req_sign_algo, 'Signature algorithm for %s not expected value' % section)
+            sign_value = values.get('Sign value', None)
+            self.assertEqual(len(sign_value), fit_sign_alg_len, 'Signature value for section %s not expected length' % section)
 
         # Search for the string passed to mkimage in each signed section of the FIT image.
         # Looks like mkimage supports to add a comment but does not support to read it back.
-- 
2.47.3

Re: [OE-core] [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images

[Mathieu Dubois-Briand]

On Tue May 26, 2026 at 11:40 AM CEST, Marta Rybczynska via lists.openembedded.org wrote:
> From: Marta Rybczynska <rybczynska@gmail.com>
>
> The SPL FIT signing path was signing individual images, but not the configuration.
>
> Introduce signing of configuration with images under a separate option SPL_SIGN_CONF,
> enabled by default. It implies changes in the DTB content.
>
> The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be removed in
> a subsequent patch.
>
> Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>

Hi Marta,

Thanks for the new version. I believe we still have two selftest
failures because of it:

2026-05-26 16:34:33,908 - oe-selftest - INFO - fitimage.UBootFitImageTests.test_sign_standalone_uboot_atf_tee_fit_image (subunit.RemotedTestCase)
2026-05-26 16:34:33,909 - oe-selftest - INFO -  ... FAIL
...
ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3572291' failed with exit code 1
...
| Signature written to 'u-boot-fitImage', node '/configurations/conf/signature'
| Public key written to 'spl/u-boot-spl.dtb', node '/signature/key-spl-oe-selftest'
| Signature check bad (error 1)
| Verifying Hash Integrity for node 'conf'... sha256,rsa2048:spl-oe-selftest+
| sha256,rsa2048:spl-oe-selftest-
|  error!
| Verification failed for '(null)' hash node in 'conf' config node
| Failed to verify required signature 'key-spl-cascaded-oe-selftest'
| WARNING: exit code 1 from a shell command.
...
2026-05-26 16:35:33,469 - oe-selftest - INFO - fitimage.UBootFitImageTests.test_sign_standalone_uboot_fit_image (subunit.RemotedTestCase)
2026-05-26 16:35:33,469 - oe-selftest - INFO -  ... FAIL
...
ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3689059' failed with exit code 1
...
| Signature written to 'u-boot-fitImage', node '/configurations/conf/signature'
| Public key written to 'spl/u-boot-spl.dtb', node '/signature/key-spl-oe-selftest'
| Signature check bad (error 1)
| Verifying Hash Integrity for node 'conf'... sha256,rsa2048:spl-oe-selftest+
| sha256,rsa2048:spl-oe-selftest-
|  error!
| Verification failed for '(null)' hash node in 'conf' config node
| Failed to verify required signature 'key-spl-cascaded-oe-selftest'
| WARNING: exit code 1 from a shell command.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3999
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3905
https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3770

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH v2 1/2] uboot-sign: sign SPL FIT configurations instead of images

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 3231 bytes --]

On Wed, May 27, 2026 at 8:58 AM Mathieu Dubois-Briand <
mathieu.dubois-briand@bootlin.com> wrote:

> On Tue May 26, 2026 at 11:40 AM CEST, Marta Rybczynska via
> lists.openembedded.org wrote:
> > From: Marta Rybczynska <rybczynska@gmail.com>
> >
> > The SPL FIT signing path was signing individual images, but not the
> configuration.
> >
> > Introduce signing of configuration with images under a separate option
> SPL_SIGN_CONF,
> > enabled by default. It implies changes in the DTB content.
> >
> > The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be
> removed in
> > a subsequent patch.
> >
> > Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
>
> Hi Marta,
>
> Thanks for the new version. I believe we still have two selftest
> failures because of it:
>
> 2026-05-26 16:34:33,908 - oe-selftest - INFO -
> fitimage.UBootFitImageTests.test_sign_standalone_uboot_atf_tee_fit_image
> (subunit.RemotedTestCase)
> 2026-05-26 16:34:33,909 - oe-selftest - INFO -  ... FAIL
> ...
> ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of
> '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3572291'
> failed with exit code 1
> ...
> | Signature written to 'u-boot-fitImage', node
> '/configurations/conf/signature'
> | Public key written to 'spl/u-boot-spl.dtb', node
> '/signature/key-spl-oe-selftest'
> | Signature check bad (error 1)
> | Verifying Hash Integrity for node 'conf'...
> sha256,rsa2048:spl-oe-selftest+
> | sha256,rsa2048:spl-oe-selftest-
> |  error!
> | Verification failed for '(null)' hash node in 'conf' config node
> | Failed to verify required signature 'key-spl-cascaded-oe-selftest'
> | WARNING: exit code 1 from a shell command.
> ...
> 2026-05-26 16:35:33,469 - oe-selftest - INFO -
> fitimage.UBootFitImageTests.test_sign_standalone_uboot_fit_image
> (subunit.RemotedTestCase)
> 2026-05-26 16:35:33,469 - oe-selftest - INFO -  ... FAIL
> ...
> ERROR: u-boot-1_2026.04-r0 do_uboot_assemble_fitimage: Execution of
> '/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2700759/tmp/work/qemuarm-poky-linux-gnueabi/u-boot/2026.04/temp/run.do_uboot_assemble_fitimage.3689059'
> failed with exit code 1
> ...
> | Signature written to 'u-boot-fitImage', node
> '/configurations/conf/signature'
> | Public key written to 'spl/u-boot-spl.dtb', node
> '/signature/key-spl-oe-selftest'
> | Signature check bad (error 1)
> | Verifying Hash Integrity for node 'conf'...
> sha256,rsa2048:spl-oe-selftest+
> | sha256,rsa2048:spl-oe-selftest-
> |  error!
> | Verification failed for '(null)' hash node in 'conf' config node
> | Failed to verify required signature 'key-spl-cascaded-oe-selftest'
> | WARNING: exit code 1 from a shell command.
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3999
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3905
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3770
>
> Can you have a look at the issue?


Looking into it. Those tests work in my setup. To be continued.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 4416 bytes --]