uboot-sign: Make SPL DTB public key injection optional

jamin-aspeed · rpurdie · commit 29cd5ace40d4 · 2025-06-12T11:04:05.000+01:00
Introduce SPL_SIGN_ADD_PUBKEY to control whether the public key is
added into the SPL device tree and whether FIT signature verification is
performed after signing.

Key changes:
- Added SPL_SIGN_ADD_PUBKEY variable (default = "1")
- Conditionally apply '-K &lt;dtb&gt;' to mkimage only if adding key is enabled
- Skip fit_check_sign when public key injection is disabled
- Suppress concat_spl_dtb() warnings if key adding is turned off

This allows U-Boot FIT images to be signed without modifying the SPL DTB,
useful in scenarios where public key management is handled elsewhere or
post-processing will be done separately.

Signed-off-by: Jamin Lin &lt;jamin_lin@aspeedtech.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
@@ -34,6 +34,12 @@ UBOOT_FITIMAGE_ENABLE ?= "0"
 # Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1"
 SPL_SIGN_ENABLE ?= "0"
 
+# Whether to add (embed) the public key into the SPL Device Tree (.dtb).
+# If set to "1", the key will be inserted into the /signature node of the DTB
+# and fit_check_sign will be used to verify the signature.
+# If set to "0", only signing will be performed, without modifying the DTB.
+SPL_SIGN_ADD_PUBKEY ?= "1"
+
 # Default value for deployment filenames.
 UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb"
 UBOOT_DTB_BINARY ?= "u-boot.dtb"
@@ -245,7 +251,9 @@ concat_spl_dtb() {
 	if [ -e "${SPL_DIR}/${SPL_NODTB_BINARY}" -a -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then
 		cat ${SPL_DIR}/${SPL_NODTB_BINARY} ${SPL_DIR}/${SPL_DTB_SIGNED} > "${SPL_BINARY}"
 	else
-		bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
+		if [ "${SPL_SIGN_ADD_PUBKEY}" = "1" ]; then
+			bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available."
+		fi
 	fi
 }
 
@@ -474,15 +482,17 @@ EOF
 		${UBOOT_MKIMAGE_SIGN} \
 			${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
 			-F -k "${SPL_SIGN_KEYDIR}" \
-			-K "${SPL_DIR}/${SPL_DTB_BINARY}" \
+			${@'-K "${SPL_DIR}/${SPL_DTB_BINARY}"' if d.getVar("SPL_SIGN_ADD_PUBKEY") == "1" else ''} \
 			-r ${UBOOT_FITIMAGE_BINARY} \
 			${SPL_MKIMAGE_SIGN_ARGS}
 		#
 		# Verify the U-boot FIT image and SPL dtb
 		#
-		${UBOOT_FIT_CHECK_SIGN} \
-			-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
-			-f ${UBOOT_FITIMAGE_BINARY}
+		if [ "${SPL_SIGN_ADD_PUBKEY}" = "1" ]; then
+			${UBOOT_FIT_CHECK_SIGN} \
+				-k "${SPL_DIR}/${SPL_DTB_BINARY}" \
+				-f ${UBOOT_FITIMAGE_BINARY}
+		fi
 	fi
 
 	if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
