[PATCH v1 2/2] uboot-sign: Make SPL DTB public key injection optional

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Jamin Lin <jamin_lin@aspeedtech.com>
To: <openembedded-core@lists.openembedded.org>
Cc: <troy_lee@aspeedtech.com>, <jamin_lin@aspeedtech.com>
Subject: [PATCH v1 2/2] uboot-sign: Make SPL DTB public key injection optional
Date: Fri, 6 Jun 2025 15:19:15 +0800	[thread overview]
Message-ID: <20250606071915.2680182-3-jamin_lin@aspeedtech.com> (raw)
In-Reply-To: <20250606071915.2680182-1-jamin_lin@aspeedtech.com>

Introduce SPL_SIGN_ADD_PUBKEY to control whether the public key is
added into the SPL device tree and whether FIT signature verification is
performed after signing.

Key changes:
- Added SPL_SIGN_ADD_PUBKEY variable (default = "1")
- Conditionally apply '-K <dtb>' to mkimage only if adding key is enabled
- Skip fit_check_sign when public key injection is disabled
- Suppress concat_spl_dtb() warnings if key adding is turned off

This allows U-Boot FIT images to be signed without modifying the SPL DTB,
useful in scenarios where public key management is handled elsewhere or
post-processing will be done separately.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 6ee1874cd6..3bcf47dd33 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -34,6 +34,12 @@ UBOOT_FITIMAGE_ENABLE ?= "0"
 # Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1"
 SPL_SIGN_ENABLE ?= "0"
 
+# Whether to add (embed) the public key into the SPL Device Tree (.dtb).
+# If set to "1", the key will be inserted into the /signature node of the DTB
+# and fit_check_sign will be used to verify the signature.
+# If set to "0", only signing will be performed, without modifying the DTB.
+SPL_SIGN_ADD_PUBKEY ?= "1"
+
 # Default value for deployment filenames.
 UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
 UBOOT_DTB_BINARY ?= "u-boot.dtb"
@@ -245,7 +251,9 @@ concat_spl_dtb() {
 	if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
 		cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"
 	else
-		bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
+		if [ "${SPL_SIGN_ADD_PUBKEY}" = "1" ]; then
+			bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
+		fi
 	fi
 }
 
@@ -474,15 +482,17 @@ EOF
 		${UBOOT_MKIMAGE_SIGN} \
 			${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
 			-F -k "${SPL_SIGN_KEYDIR}" \
-			-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
+			${@'-K "${SPL_DIR}/${SPL_DTB_BINARY}"' if d.getVar("SPL_SIGN_ADD_PUBKEY") == "1" else ''} \
 			-r ${UBOOT_FITIMAGE_BINARY} \
 			${SPL_MKIMAGE_SIGN_ARGS}
 		#
 		# Verify the U-boot FIT image and SPL dtb
 		#
-		${UBOOT_FIT_CHECK_SIGN} \
-			-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
-			-f ${UBOOT_FITIMAGE_BINARY}
+		if [ "${SPL_SIGN_ADD_PUBKEY}" = "1" ]; then
+			${UBOOT_FIT_CHECK_SIGN} \
+				-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+				-f ${UBOOT_FITIMAGE_BINARY}
+		fi
 	fi
 
 	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
-- 
2.43.0

next prev parent reply	other threads:[~2025-06-06  7:19 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-06  7:19 [PATCH v1 0/2] uboot-sign: Make SPL DTB public key injection optional Jamin Lin
2025-06-06  7:19 ` [PATCH v1 1/2] uboot-sign: Avoid symlink and install errors when SPL DTB is missing Jamin Lin
2025-06-12 11:10   ` [OE-core] " Freihofer, Adrian
2025-06-13  2:24     ` Jamin Lin
2025-06-06  7:19 ` Jamin Lin [this message]
2025-06-12 10:58   ` [OE-core] [PATCH v1 2/2] uboot-sign: Make SPL DTB public key injection optional Freihofer, Adrian
2025-06-13  2:08     ` Jamin Lin
2025-06-13 12:36       ` Freihofer, Adrian
2025-06-16  3:50         ` Jamin Lin
2025-06-16  9:16           ` Freihofer, Adrian
2025-06-17  8:17             ` Jamin Lin
2025-06-18 10:03               ` Freihofer, Adrian

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6ee1874cd dfblob:3bcf47dd3 )
 OR (
bs:"[PATCH v1 2/2] uboot-sign: Make SPL DTB public key injection optional" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250606071915.2680182-3-jamin_lin@aspeedtech.com \
    --to=jamin_lin@aspeedtech.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=troy_lee@aspeedtech.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox