From 3ecef14093914bb95fdc69e929a18cd7219ff01f Mon Sep 17 00:00:00 2001 From: Manorit Chawdhry Date: Fri, 27 Jun 2025 10:56:50 +0530 Subject: Revert "conf: machine: k3: disable all fit signing for uboot" FIT signing was disabled in the past as it was interfering with multi DTB usecase in binman, and it was thought that the binman signing being done is equivalent to UBOOT_SIGN_ENABLE. Though looking at the sources, UBOOT_SIGN_ENABLE is actually used to sign the kernel FIT Image instead and the name UBOOT actually specifies that it's used in tandom with U-boot. During the signing process, mkimage from U-boot is used to pack the kernel FIT Image and along with that, one DTB from U-boot is also passed to the mkimage command. The DTB that gets passed gets the key embedded in it that is used to verify the kernel FIT image at runtime. Now this signed DTB is packed in U-boot by triggering a rebuild with EXT_DTB argument in the U-boot build process. However, this failed as there was a U-boot bug which was not looking at the packed sources properly with the multi DTB usecase. Now that a U-boot fix is available [0], revert that commit which disabled the FIT signing. This reverts commit 9656b79cb557a46d2611b67e7e51702f6da05594. [0]: https://lore.kernel.org/all/20250626-b4-upstream-fix-icssg-fit-v1-1-95eff1c853a4@ti.com/ Signed-off-by: Manorit Chawdhry Signed-off-by: Ryan Eatmon --- meta-ti-bsp/conf/machine/include/k3.inc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta-ti-bsp/conf/machine/include/k3.inc b/meta-ti-bsp/conf/machine/include/k3.inc index b743c8cc..0e8729df 100644 --- a/meta-ti-bsp/conf/machine/include/k3.inc +++ b/meta-ti-bsp/conf/machine/include/k3.inc @@ -20,6 +20,10 @@ SPL_BINARY = "tispl.bin" SPL_BINARYNAME = "tispl.bin" UBOOT_SUFFIX = "img" +UBOOT_SIGN_ENABLE = "1" +UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb" +UBOOT_SIGN_KEYNAME ?= "custMpk" +UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys" FIT_HASH_ALG ?= "sha512" FIT_SIGN_ALG ?= "rsa4096" -- cgit v1.2.3-54-g00ecf