On Fri, Feb 27, 2026 at 04:24:37PM +0530, Chawdhry, Manorit wrote: > Hi Neha, Nagabhushan, > > On 2/27/2026 4:00 PM, Francis, Neha wrote: > > Hi Nagabhushan > > > > + Manorit do correct me if I'm wrong > > > > On 2/27/2026 5:14 AM, Simon Glass wrote: > > > +Neha Malcom Francis > > > > > > Hi, > > > > > > On Wed, 25 Feb 2026 at 01:54, Nagabhushan D <[email protected]> > > > wrote: > > > > > > > > Hi Team, > > > > I am a recent graduate working in Embedded stream. Currently exploring > > > > secure booting on TI boards. I went through some of the writings on > > > > github - > > > > https://github.com/ARM-software/u-boot/blob/master/doc/uImage.FIT/signature.txt > > > > and other sources by TI. I would like to get few confusions cleared by > > > > this mail and thanks for take some time for this. > > > > I'm linking a couple of links [0] and [1] that should clear up everything > > if you > > haven't stumbled upon them already. > > > > > > > > > > 1. Can I try out only fitImage verification with hs fs boards only? > > > > > > Neha may know about that one. > > > > No, both GP/HS can enforce fitImage auth (check FIT_SIGNATURE_ENFORCE) > > > > FIT_SIGNATURE_ENFORCE is something that wasn't upstreamed.. it's something > internally that we had tried to flow flush it and just left it at an RFC > stage [2] > > But to answer yes, all the keys and everything is contains within U-boot so > regardless of HS/GP or whatever device, it should work fine if you follow > the guide. > > > > > > > > 2. Can I try it with ti dummy keys or any other way to know if the > > > > flow/fit signing is correct? > > > > > > There are tests which check signature verification using sandbox, > > > which might be the easiest way to try it out. See test_fit.py > > > > Yes sandbox testing would work, as well as building with the TI dummy key. > > > > > > > > Regards, > > > Simon > > > > [0] > > https://software-dl.ti.com/processor-sdk-linux/esd/AM62AX/latest/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices > > (this is our SDK doc, just in case you need more help to follow along, more > > or > > less the same as what the upstream docs talk about) > > > > [1] https://docs.u-boot.org/en/latest/board/ti/k3.html#fit-signature-signing > > > > [2]: > https://lore.kernel.org/u-boot/20240111-b4-upstream-fit-signature-enforce-v1-1-2b91be318...@ti.com/
And someone picking this up again would be appreciated. -- Tom
signature.asc
Description: PGP signature
