U-boot fit signing

anmsn44 · April 9, 2026, 7:26pm

im using the meta-security-toradex layer to sign the fit image, so where the public key is stored?is it inside u-boot or included as a dtbo? im asking because my output fit does not contain a key as dtbo

ToradexAI · April 9, 2026, 7:26pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be glad to help! To provide the most accurate guidance for your FIT image signing setup, could you let me know which hardware and OS version you are using?

For example:

Hardware: Verdin i.MX8M Plus, Verdin AM62, Aquila AM69, Apalis i.MX8QP, Colibri i.MX8X, etc.
OS: Torizon OS 7.x.y, Yocto 7.2.0, BSP 7, etc.

You can get this information by running the tdx-info command on your device. More details about this tool are available at: Getting Device Information with Tdx-Info | Toradex Developer Center

The location and method of storing the public key for FIT image verification can vary depending on your specific platform and configuration, so knowing your exact setup will help me provide the most relevant information about where the public key is stored in your case.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

anmsn44 · April 9, 2026, 7:27pm

im using IMX8QM

ToradexAI · April 9, 2026, 7:27pm

For i.MX8QM with FIT image signing using meta-toradex-security, the public key is embedded directly inside the U-Boot control device tree blob (DTB), not as a separate DTBO file(1).

Where the Public Key is Stored

The public key is stored within U-Boot’s control DTB during the build process(1). This happens when you generate the signed FIT image - the public key information gets embedded into the U-Boot device tree structure itself.

Why Your FIT Image Doesn’t Contain a Key DTBO

This is expected behavior. The FIT image contains the signed components (kernel, device trees, etc.) and their signatures, but the public key for verification is embedded in U-Boot’s control DTB, not included as a separate overlay in the FIT image(1).

How the Verification Process Works

When using the security hardening features, U-Boot implements exclusive signed software execution through bootm protection(1). The hardening ensures that only FIT images signed with the proper keys can be booted, and the public key embedded in U-Boot’s control DTB is used to verify these signatures(1).

The command whitelisting feature also restricts available commands when the device is in closed state, allowing only those required for secure booting(1).

Could you also let me know which version of the OS you’re running (e.g., Torizon OS 7.x.y, BSP 6, etc.)? This will help me provide more specific guidance for your setup.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

anmsn44 · April 9, 2026, 7:29pm

is u-boot hardening required to verify signatures?

jeremias.tx · April 9, 2026, 10:26pm

Greetings @anmsn44,

As per: U-Boot FIT Signature Verification — Das U-Boot unknown version documentation

For FIT image signing the public key information is stored in U-Boot’s control FDT. Which is not the same as the Linux kernel’s FDT. This makes sense since U-Boot is the stage prior to the FIT image.

Once U-Boot has been verified itself, it can be trusted to then verify the next stage of the boot. In this case the FIT image.

Best Regards,
Jeremias