[PATCH v1 1/2] rsa: allow operation without SPL_DM by falling back to software

Mon, 11 Aug 2025 09:11:33 -0700 

Boards using secure boot but lacking SPL_DM support currently cannot
use FIT signature verification in SPL, as SPL_FIT_SIGNATURE depends
on SPL_DM.  This dependency is only needed for hardware RSA modular
exponentiation drivers; software RSA verification works without DM.

Remove the SPL_DM dependency in Kconfig and guard the hardware RSA
path in rsa-verify.c with CONFIG_IS_ENABLED(DM).  This allows SPL to
verify signed FIT images using the software RSA implementation on
non-DM systems.

Signed-off-by: Lukas Schmid <lukas.sch...@netcube.li>
---
 boot/Kconfig         |  2 +-
 lib/rsa/rsa-verify.c | 27 ++++++++++++++++-----------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index a671d78e..6c0e2a49 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -203,7 +203,7 @@ config SPL_FIT_FULL_CHECK
 
 config SPL_FIT_SIGNATURE
        bool "Enable signature verification of FIT firmware within SPL"
-       depends on SPL_DM
+#      depends on SPL_DM
        depends on SPL_LOAD_FIT || SPL_LOAD_FIT_FULL
        select FIT_SIGNATURE
        select SPL_FIT
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index b65fbe44..314f75a2 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -327,8 +327,9 @@ static int rsa_verify_key(struct image_sign_info *info,
                          const uint32_t key_len)
 {
        int ret;
-#if !defined(USE_HOSTCC)
-       struct udevice *mod_exp_dev;
+#ifndef USE_HOSTCC
+       if (IS_ENABLED(CONFIG_DM))
+               struct udevice *mod_exp_dev;
 #endif
        struct checksum_algo *checksum = info->checksum;
        struct padding_algo *padding = info->padding;
@@ -354,17 +355,21 @@ static int rsa_verify_key(struct image_sign_info *info,
        uint8_t buf[sig_len];
        hash_len = checksum->checksum_len;
 
-#if !defined(USE_HOSTCC)
-       ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
-       if (ret) {
-               printf("RSA: Can't find Modular Exp implementation\n");
-               return -EINVAL;
-       }
+#ifndef USE_HOSTCC
+       if (IS_ENABLED(CONFIG_DM)) {
+               ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
+               if (ret) {
+                       printf("RSA: Can't find Modular Exp implementation\n");
+                       return -EINVAL;
+               }
 
-       ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
-#else
-       ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
+               ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
+       } else
 #endif
+       {
+               ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
+       }
+
        if (ret) {
                debug("Error in Modular exponentation\n");
                return ret;
-- 
2.39.5

Reply via email to