At present EFI_SECURE BOOT selects RSA but does not necessarily enable FIT_SIGNATURE. Mostly this is fine, but a few boards do not enable it, so U-Boot tries to do RSA verification when loading FIT images, but it is not enabled.
This worked because the condition for checking the RSA signature is wrong in the fit_image_verify_with_data() function. In order to fix it we need to fix this dependency. Make sure that FIT_SIGNATURE is enabled so that RSA can be used. It might be better to avoid using 'select' in this situation. Signed-off-by: Simon Glass <s...@chromium.org> --- (no changes since v1) lib/efi_loader/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig index 14bf5f7e92e..c1cc143f354 100644 --- a/lib/efi_loader/Kconfig +++ b/lib/efi_loader/Kconfig @@ -343,7 +343,7 @@ config EFI_LOAD_FILE2_INITRD config EFI_SECURE_BOOT bool "Enable EFI secure boot support" - depends on EFI_LOADER + depends on EFI_LOADER && FIT_SIGNATURE select HASH select SHA256 select RSA -- 2.33.0.685.g46640cef36-goog