From: Vyacheslav Yurkov <uvv.mail@gmail.com>
To: Michael Opdenacker <michael.opdenacker@rootcommit.com>,
yocto@lists.yoctoproject.org
Subject: Re: FIT image verification not working on imx8mm
Date: Sun, 22 Feb 2026 14:50:18 +0100 [thread overview]
Message-ID: <2c7cc712-18e6-4b8d-825c-35dec015166f@gmail.com> (raw)
In-Reply-To: <caa7c5c6-5fd5-4a73-8c74-b60fb9012a7c@rootcommit.com>
[-- Attachment #1: Type: text/plain, Size: 4087 bytes --]
Hi Michael,
I believe the message is correct:
> Verifying Hash Integrity ... sha256+ OK
The "+" sign means the signature verification succeeded. The "-" would
mean otherwise.
I've just tried again to boot a fit image built without
UBOOT_SIGN_ENABLE and got:
> No 'signature' subnode found for '<NULL>' hash node in 'conf-my-dtb'
config node
Do you use the u-boot as SPL by any chance?
Slava
On 21.02.2026 11:39, Michael Opdenacker wrote:
>
> Greetings,
>
> For a secure boot project on Toradex Verdin with imx8mm, I'm trying to
> enable FIT image signature verification in U-Boot.
>
> Slava's "Generation of FIT images" presentation at the recent OE
> workshop has been very useful:
> https://pretalx.com/media/openembedded-workshop-2026-2025/submissions/R8KJQZ/resources/_LJtpFTR.pdf
>
> I generated a temporary local RSA 2048 key, and I'm using it to sign a
> FIT image.
>
> I also set the UBOOT_SIGN_KEYDIR, UBOOT_SIGN_KEYNAME and
> UBOOT_SIGN_ENABLE variables to add the public key to U-Boot's DTB.
>
> The signature indeed appears in the generated u-boot.dtb file, in a
> "/signature" node:
>
> signature {
>
> key-imx8mmsb {
> required = "conf";
> algo = "sha256,rsa2048";
> rsa,r-squared = <0x56bb2a2b 0xc6b322cc 0x2f828666
> 0x75c8bc46 0xd13093af 0xc2244c35 0xb6420649 0x478d7ed3 0xeb7a0399
> 0x3b1d49a9 0xc106169d 0x7328dbb4 0x2140c49b 0x111732a1 0xb3286fed
> 0x53937163 0x8c28f85c 0xe272b1ee 0x5e009a53 0x13883205 0xcda0fbc7
> 0xd7ed4e75 0x9ed065c1 0xb6ca1e69 0xf2c9dce2 0xcf8ebf7b 0x59a72b94
> 0x501d2751 0x437e3355 0xcba6b07a 0x9b13feea 0x1032d715 0xab3cdd83
> 0x319b6bb0 0xfc31ff93 0xb7fabbb6 0x79d5d0fa 0x9c0f76e0 0x3528c22e
> 0xbbec6d6c 0x7981362f 0x528848a9 0xb57aa235 0x462ed577 0x4ccc8b9d
> 0xeb4ce969 0x5fb085b3 0x3fced511 0xfd98edfe 0xf3a4ca51 0x1bb74370
> 0x3a11c748 0xbbd5be95 0x946f8b3f 0x3d8c98b6 0x3b0e00a8 0xeca87fc6
> 0x7331981e 0xaaee80df 0x476816f2 0x509aaab1 0xa5f50e1a 0x474d0de8
> 0xc551ac97>;
> rsa,modulus = <0xb3ade247 0x4b8d0aef 0x4581e5e9 0x6084f135
> 0x778847c7 0xaf23976f 0x81b6eb84 0xa2406db4 0x2b89e624 0x81f913c9
> 0xd6ebef10 0x3e30adee 0xbca06cbe 0x5693b23b 0xc6b211f1 0xfea7a90d
> 0x2767ca7c 0xaa8b2ddb 0xcf8a63ea 0x66fe8c59 0x43b34a2f 0x720009d8
> 0xa2a61281 0x2f7fe049 0xfc3d10e5 0x1b52409 0xdeb52a16 0xa4e5fa78
> 0x7116d181 0xc0c2f39e 0x24a626b4 0x7e59438b 0x6680b1f4 0xc4b1184c
> 0x8bb65f34 0x92038fd7 0x3901c347 0xc2095158 0x3159031a 0xaa4bb76c
> 0xc53f2009 0x9f4941f8 0x736ca84a 0xd83bd011 0x3685d02c 0x6f4cb5e7
> 0xd07e8566 0x173819f 0x8f41366d 0x8b0f82fd 0x54c01fc0 0xc216cbd5
> 0x2fc4a666 0x426ff669 0x880428ca 0x7c7615c 0xcdc97895 0x8c936a3c
> 0xd6d7e82e 0x5bf63d9d 0x9fcd83a2 0xb131015f 0xc530c031 0x8446f707>;
> rsa,exponent = <0x00 0x10001>;
> rsa,n0-inverse = <0x93653949>;
> rsa,num-bits = <0x800>;
> key-name-hint = "imx8mmsb";
> };
> };
>
> I also compiled U-Boot with
> |CONFIG_FIT_SIGNATURE=y
> |
> However, when U-Boot loads the FIT image, it only checks the integrity
> of the sha256 hash of the FIT image parts:
> Verifying Hash Integrity ... sha256+ OK
>
> No signature checking happens. I can also load an unsigned FIT image
> which is accepted too. Indeed, when I open the generated "imx-boot"
> file (or "flash.bin", linking to the same file) that is used to boot
> the board, I can see a DTB for my board, but it doesn't contain any
> "signature" node, unlike in "u-boot.dtb".
>
> What could I be missing? My layer, along with a kas file to generate
> the image, is available on
> https://gitlab.com/rootcommit/meta-imx8mm-secureboot. I'm using the
> Toradex Easy Installer (Tezi) to flash the image on eMMC. My layer is
> relies on the "master" branches of the required layers, but I have the
> same problem on Scarthgap too.
>
> Any suggestions are appreciated.
> Thanks in advance
> Michael.
>
> --
> Root Commit
> Embedded Linux Training and Consulting
> https://rootcommit.com
[-- Attachment #2: Type: text/html, Size: 5907 bytes --]
next prev parent reply other threads:[~2026-02-22 13:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 10:39 FIT image verification not working on imx8mm Michael Opdenacker
2026-02-22 8:30 ` [yocto] " Marco Cavallini
2026-02-22 13:50 ` Vyacheslav Yurkov [this message]
2026-02-22 16:07 ` Michael Opdenacker
2026-02-27 12:03 ` [yocto] " Quentin Schulz
2026-02-22 22:33 ` Francesco Valla
2026-02-24 18:06 ` Michael Opdenacker
2026-03-01 10:01 ` Michael Opdenacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c7cc712-18e6-4b8d-825c-35dec015166f@gmail.com \
--to=uvv.mail@gmail.com \
--cc=michael.opdenacker@rootcommit.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox