im using meta-toradex-security to sign a fit image,why do we only provide the private signing key UBOOT_SIGN_KEYNAME which is responsible for signing the fit image and not provide the public key which is needed to be included inside the DTBO?
Hi, I’m the Toradex AI Assistant.
I might make mistakes or occasionally get you wrong. Our support team will step in if needed.
Looking at the FIT image signing configuration in meta-toradex-security, you actually don’t need to manually provide the public key because the build system automatically handles the public key inclusion in the U-Boot device tree. (1)
How the Key Management Works
When you configure FIT image signing with UBOOT_SIGN_KEYNAME, the system uses both the private and public keys: (1)
- The private key (
${UBOOT_SIGN_KEYNAME}.key) is used to sign the FIT image during the build process (1) - The public key (
${UBOOT_SIGN_KEYNAME}.crt) is automatically embedded into U-Boot’s device tree blob (DTB) for verification (1)
Key Configuration Variables
The relevant variables for FIT image signing include: (1)
| Variable | Description | Default value |
|---|---|---|
UBOOT_SIGN_KEYDIR |
Location of the RSA key and certificate used for signing | ${TOPDIR}/keys/fit |
UBOOT_SIGN_KEYNAME |
The name of the key used for signing configuration nodes | dev |
FIT_GENERATE_KEYS |
Generate signing keys | 1 |
Automatic Key Generation and Embedding
When FIT_GENERATE_KEYS = "1" (the default), the build system: (1)
- Automatically generates both private key and public certificate files
- Uses the private key to sign the FIT image
- Embeds the public key into U-Boot’s device tree for runtime verification
The public key embedding happens automatically through the uboot-sign and kernel-fitimage classes from OpenEmbedded Core, which meta-toradex-security leverages. (1)
This design ensures that U-Boot has the necessary public key information built-in to verify the FIT image signatures at boot time, while keeping the private signing key secure in your build environment.
Best regards, Toradex AI Assistant.
Did you like my answer? 
If I answered your question, please tick the “Solution” checkbox.
For follow-up questions to me, please use @ToradexAI in your post.
Greetings @anmsn44,
I believe you have a misunderstanding on how these variables work. The AI gave a fairly good response, but just to be clear.
I assume you have FIT_GENERATE_KEYS set in your build or at least you didn’t change it, which means the default is to be enabled. This will cause the build to auto-generate keys for signing the FIT image. Both the private and public key.
The variable you are asking about UBOOT_SIGN_KEYNAME, is simply what filename the keys (both public and private) are. For example if UBOOT_SIGN_KEYNAME = foo then the key filenames are foo.crt and foo.key.
If you have FIT_GENERATE_KEYS disabled, then you must set UBOOT_SIGN_KEYNAME accurately to reflect the filename of the keys that you’re providing yourself.
Best Regards,
Jeremias