Showing results for 
Search instead for 
Did you mean: 

[STM32MP15][Yocto] Signing fitImage with multiple device trees.


Hello, I’m working on enabling secure boot on our STM32MP15 cards. We are using yocto, with the layer from ST (meta-st-stm32mp).  I am currently trying to implement the check of the signature of the fitImage by u-boot. I have added this configuration:


UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"

We have multiple models of cards, with different device trees for each. U-boot is configured to load the correct one with information from the card. So there are multiple device trees with different configurations in our fitImage.


However it appears it is not possible to sign the fitImage with multiple device trees. A fatal error is launched when trying.It seems to comes from a function in recipes-kernel/linux/ in the layer from ST, but I don’t understand why


This is the function:


python() {
fitimage_signed = d.getVar('UBOOT_SIGN_ENABLE')
devicetree = d.getVar('KERNEL_DEVICETREE').split()
machine_features = d.getVar('MACHINE_FEATURES')
if 'fit' in machine_features:
     if fitimage_signed is not None and fitimage_signed == "1":
         if len(devicetree) > 1:
             bb.fatal("The signature of FIT image work only when there”
                      "is only one DEVICE-TREE specified")


The signing of the fit image is implemented in the classes uboot-sign and kernel-fitimage from poky, not from ST. I checked the commit on meta-st-stm32mp  and there was no explanation as to why this was added. I patched this function to create a fitImage. I used fit_check_sign, a tool from uboot, to check if it was properly signed and it raised no error. Is there something I am missing? Does anyone know why this function was added ? Thanks for your help.


Charles Neyrand

Bernard PUEL
ST Employee

This error Check was added here to avoid wrong behavior because YOCTO (FIT feature) only supports one signature.  

Thank you for your answer. After re reading the class documentation, it is not mentioned that signature only works with one device tree. Would you mind explaining what exactly is not supported by YOCTO ?