FIT load checks the signature on loadable images, but just continues in the case of a failure. This is undesirable behavior because the boot process depends on the authenticity of every loadable part.
Add a check that verifies the FIT's configuration block, and fails if it's not present or the signature doesn't match. Henry Beberman (1): spl: Add CONFIG_SPL_FIT_SIGNATURE_STRICT Ricardo Salveti (1): cmd: Add CONFIG_FIT_SIGNATURE_STRICT cmd/fpga.c | 14 ++++++++++++++ cmd/source.c | 14 ++++++++++++++ cmd/ximg.c | 14 ++++++++++++++ common/Kconfig.boot | 11 +++++++++++ common/spl/spl_fit.c | 21 ++++++++++++++++++++- 5 files changed, 73 insertions(+), 1 deletion(-) -- 2.31.1