From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 4C130C433FE
	for <u-boot@archiver.kernel.org>; Sat, 19 Nov 2022 19:04:37 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 91E648529A;
	Sat, 19 Nov 2022 20:04:26 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=vimar.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=vimar.com header.i=@vimar.com header.b="JwIK7wSg";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 6BAC68511E; Sat, 19 Nov 2022 19:01:00 +0100 (CET)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
 (mail-am6eur05on2060f.outbound.protection.outlook.com
 [IPv6:2a01:111:f400:7e1b::60f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 498C88438C
 for <u-boot@lists.denx.de>; Sat, 19 Nov 2022 19:00:57 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none)
 header.from=vimar.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=Massimo.Pegorer@vimar.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=VeT20DABHM3Td3sekzLy94Na2XFsz/ihqJvmFPjtBP/Dkt7g5I8vERk9wCDyXVN5J1z+Vrq8pJ+ZF3DaeOxNurhjw0LChHkkCWzpY6YNx3fCAyr0ztNTTFDQ3KTb0bI31XBoZhWImpmpdeNeNtHjBQ+4pFNuG7e1QbCOO8dOYmUTNOXoCTvhQ0aK2+h+O3+6r1Nn5JPPvna4v8YPCM+SN3/huCUqAZqx7qFiSgrfxPUXylYfotF/1fjGe3oZgSPvMlzna/5Ojs5QWAU4ZJV0BSN6BFGbDo1boLKbHnNfBfpkPZtz/SjlWfpe/NzkuDQp3oJFBQ7CLzy6IACDGeAyFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=q2k55l07h75HnyTljK9ylt89f9g/f/uGvRKUQrZLc4o=;
 b=HY96r+SYudbDwQYwMrCS2JowFDwMRNZ+XasPYc1rEll1V5XyAklpR5fV3jDbGZm342uIgGBdiD2DWyhjCxDclPjYw2XZnpZYwDEp4B5zVnNx7nxE8uP8YWgrxXJdLtyeckzm1CAUe/ee+YDqRZkIaEUYB7Hy8KnYCArKs9I4i/0YcIGYGYsmDLOJpyh8zuTOqxtn/3Ouu/VLHliiUmPsDUMGBmd/nJlgKZtEis93d1BPmE7xOJXLnom/7RcBhRMavmCHS+GMID720RKD+RUrfX57+S94Zpe1mjLylVpIxqtODKW270sKM6A8Kj65ALdgafj6H5O9i5zbsIrV6sLBng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=vimar.com; dmarc=pass action=none header.from=vimar.com;
 dkim=pass header.d=vimar.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vimar.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=q2k55l07h75HnyTljK9ylt89f9g/f/uGvRKUQrZLc4o=;
 b=JwIK7wSg4GOESaHviW3A9qd64LUSFBTVizbN0I2Mio3tUYHCgZXCzuNRm4qhsxjZKLFQZxhlcWKmctPyCnCGgOfzTO3ELnxciSLBiph7C5enz9lmjoYS2TpHcOzfx9sq9U9M5t2qXDY+s0xZkeQ3v4wCVUazGbdANdBH2Yyucx8=
Received: from GV1PR08MB8010.eurprd08.prod.outlook.com (2603:10a6:150:9a::6)
 by AM8PR08MB5748.eurprd08.prod.outlook.com (2603:10a6:20b:1df::10) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.8; Sat, 19 Nov
 2022 18:00:55 +0000
Received: from GV1PR08MB8010.eurprd08.prod.outlook.com
 ([fe80::5336:fbb:4987:a9b]) by GV1PR08MB8010.eurprd08.prod.outlook.com
 ([fe80::5336:fbb:4987:a9b%8]) with mapi id 15.20.5834.009; Sat, 19 Nov 2022
 18:00:55 +0000
From: Pegorer Massimo <Massimo.Pegorer@vimar.com>
To: "u-boot@lists.denx.de" <u-boot@lists.denx.de>
CC: Simon Glass <sjg@chromium.org>, Sean Anderson <sean.anderson@seco.com>
Subject: Patch proposal - mkimage: fit: Support signed conf 'auto' FITs
Thread-Topic: Patch proposal - mkimage: fit: Support signed conf 'auto' FITs
Thread-Index: Adj8P9EkOXq7HL0YTM2pAi2+qr+YuA==
Date: Sat, 19 Nov 2022 18:00:55 +0000
Message-ID: <GV1PR08MB8010E6E62BFB9ED861FEED06E5089@GV1PR08MB8010.eurprd08.prod.outlook.com>
Accept-Language: it-IT, en-US
Content-Language: it-IT
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=vimar.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR08MB8010:EE_|AM8PR08MB5748:EE_
x-ms-office365-filtering-correlation-id: 912ed80e-7e33-46fa-4422-08daca58015a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qnYtoPqj1qIliFrUCu2bUX7ZnCVuabpdv89kr0xX8hKHRz+/L63fHkWeS1NwOc8PhKe85jhyh2qjIrImX1IS3N8uJHKD0cywZ2f2GpZcthyJoZtjSr604vtTqLHt0WrGoGfKm7w3/2t20rp0/eex9+pnf9bJW7LixqKiaFs62m4fK1eh6p2IEQayBdH6SZWN4z7quW5i72iDGkA/ojjw9ycfHMyIG5iVv0NOw/F01mTpjLcmZEtxIyWIN0Wf0vtbOQnWvQ2Jxiw9121NLfKKnsxDyIfuB/gB9vmHymcsvOV1GwsncAzwmX3s4y2bo8GF4avjAOvCX4DyfbXxmzwI4V1FpyeQKYcf0wgSLkNfIMOzFHVkIwnUwzPK2H5sUGwjGVM6mqLYdXD9IAfzppzM+IZYwfYEM5XsRfAKILymHs/iLzCxV5QSEwqioEp9RduQGXfgS3xSzrJXcCRB3vYNg1XrwESOVMhNEtbcfjTcHFtGRnmwN0Tu1Y0l4MDRq4KDlOXuSWhE5/5O9tQ6tCyj+VsnW9Q6P/EglL4qvDKZO6o6b2Fy8PecsveNYp047vUaszVurIXoZabK9rttbUIA6wfhkClUuBeeVOAGkqmC5j3P3+8DBpihgv0/xlciumS4hdr+5jivmZI4rtAQ8pPu3DpfGmv+KJxzJQ4v4WtUpiMDMkufVwUgGN9Qb4omY8H+V6ZLX2nATrpmKrd5IofUgg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:GV1PR08MB8010.eurprd08.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230022)(4636009)(39850400004)(346002)(136003)(366004)(376002)(396003)(451199015)(26005)(33656002)(122000001)(86362001)(38070700005)(38100700002)(55016003)(83380400001)(2906002)(186003)(9686003)(6916009)(53546011)(7696005)(41300700001)(6506007)(71200400001)(52536014)(478600001)(5660300002)(76116006)(54906003)(66476007)(8676002)(66446008)(316002)(66946007)(8936002)(66556008)(64756008)(4326008);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?dt0RTL04qKer0Jk+NVzAoOWqgO6/mjG+9FJikiZiQXo/ZXAFF6poAPIyhXGR?=
 =?us-ascii?Q?4Y7lv5oZy8oXV57rNlC6MIkak4Hd3TAdfMBcUFmIZEm3C/17gFXhS4hk8Mdg?=
 =?us-ascii?Q?KeK02Hns2fjhLUf+NBd/KTNs5b6ijwz/TJ/Vk2d+WhrQwzLev/JKBXGYF3m0?=
 =?us-ascii?Q?o+wi0l/e7+C2uxJaZHvvolvQQ6e1yfZbGQh/mjjjuQYrDKmWQjtqHnneAA6R?=
 =?us-ascii?Q?IBn3/oW7NJJQl+jYzB/S09dMZhIBrOXD5T1Dj6IoRmTkUBeWGWYGidyvZtQM?=
 =?us-ascii?Q?tZ11F0ZImvGwlp5AIS+E+lQ/jgv1BQ6dYe2x9f7UARY009hMPP9jITMiKrfq?=
 =?us-ascii?Q?9YFDIqI1wVt440TEp/UJJkA4CiucS9J1G16TKOd6iyItK25xJsAkJbWpgiJl?=
 =?us-ascii?Q?6cps+U3U1BeOAig2EzhlJ/p4LPuQcxL0gWcOMUNCcdDWuyWWm78xKZSxgAXm?=
 =?us-ascii?Q?KtceFshOdyG59JI9eJHWC3wDrSAR0KuPSc8Gl4unvTVdGMkOrM/lNBF0aAyJ?=
 =?us-ascii?Q?RQsNjYrfKInQS+WL8Ciu/+FuJjyNCTrTbIIxB0qPLCJjg2e3CN7mjgF4k33v?=
 =?us-ascii?Q?XpGmkuPUmanXkWDkUOvgx6+IbhxPme7GwKlR3lTMxraKGypG/ki2sKYgdDrp?=
 =?us-ascii?Q?YaUvUW5aMOb2Bm2/h7ZBmR20GsSt2r6ELHSzn/5ODaPE8Y6alXachokD/9K2?=
 =?us-ascii?Q?RsojJQaFrgiq1Er6lx5ymY4svvO7Rj+qv/joReR1l0t5kXud8koE6+a3EGuj?=
 =?us-ascii?Q?/LmwH7219tpokhlPni/rITPw5hR0n8J6I5WK3mpACSYHLMlkwcPxalDhU2/M?=
 =?us-ascii?Q?B/BtJWNVJ8KpZP9c7ylfLi7gOWtk3UMW3B+skMzN2eKju1SB9017kMdVPkv9?=
 =?us-ascii?Q?9D7FxSnav8lS97wEsL3/DYMEvAceLo59jQDeIThV2x105XvFd5vYE76j5cTR?=
 =?us-ascii?Q?3Ms6dEBTQkdaNR7hiB4Ud0DNP0MTwkbZCx5iGHlMQB9yBxYOIc6q6utcr9q+?=
 =?us-ascii?Q?1GTfD68C18rZZ3QPzSSXPhJqJr8m5IxkxjiRUgCW9p9l0Z3r+TjYaGI2oULm?=
 =?us-ascii?Q?e7OHee4hClmcAhRSzEmr5AWmUtts/oNY0uK0t7AxkhsDWLJUyih4YtFU5lnT?=
 =?us-ascii?Q?2q/xRFBl5fMbMVYspEpzCwYzXGpyJmPw1Umtj4W3nHqd/9YSE2nI0+93y2GH?=
 =?us-ascii?Q?HnOKNupUNuz7AUowxqj39SaDxB2/w+pQKQssuMbYrfcbDUVEaTgc67RMzZIX?=
 =?us-ascii?Q?2eMNE9UlGEe+iFO2w34f2GOYdHehIFhmdLfrQsPUjz7EK86goE06l1lvxgu3?=
 =?us-ascii?Q?Z10kesJlMal2fMSlpaRk3NiYPAvZdFAxMg8vH9+Qz11gqDBAPIPCgBay7Zzz?=
 =?us-ascii?Q?YWYRYw330EW3jGWWjF4BgKP7a9RF3xzaznZ1ng0Oq53X9CeALkLrX7NFzEpz?=
 =?us-ascii?Q?Su5QNubdtCGSxXKHqMwyExqnlWC8EcFXHY/QHnZcwZ0fVLzVh9rTfc/m78M5?=
 =?us-ascii?Q?FSC4TfbxEo9Hs72Lk/pGJAYFeeju6FpFI/gsDucUVTlFQgDmH0D4LGFKuc6q?=
 =?us-ascii?Q?9VFZ/91y/d8A+Uezjmw4olLp0NwkZZBXaZrJUYBH?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: vimar.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR08MB8010.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 912ed80e-7e33-46fa-4422-08daca58015a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2022 18:00:55.4503 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a1f008bc-d59b-4c66-8f87-60fd9af15c7f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lSAiKlsG4MGRk/3d1IlhlJyhFQDGgyLW1s877+jSEKSD9npnKqkA2DoEXJQUIjQsKOn8hl7VJX4NE8CQTVLTk0mYWEiJ9tambp2vralHrTw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5748
X-Mailman-Approved-At: Sat, 19 Nov 2022 20:04:23 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Commit 87b0af9317cb4105f3f29cb0a4c28c7cd87ea65f added support for signing a=
uto-generated (mkimage -f auto) FIT. Unfortunately, this signs 'images' sub=
nodes but not 'configurations' ones. Following patch is a proposal to suppo=
rt also 'configurations' signing + 'images' hashing, as an alternative to '=
images' signing, with 'auto' FIT. For this purpose, a new optional argument=
 is added to mkimage '-r' option: any other better idea?

=3D=3D=3D=3D=3D

>From 8c8c8f421d541cc2eccb50490a57e86b81dc8df2 Mon Sep 17 00:00:00 2001
From: Massimo Pegorer <massimo.pegorer@vimar.com>
Date: Sat, 19 Nov 2022 16:25:58 +0100
Subject: [PATCH] mkimage: fit: Support signed conf 'auto' FITs

Extend support for signing in auto-generated FITs. Previously, it was
possible to sign 'images' subnodes in auto FIT, but not 'configurations'
subnodes. Consequently, usage with -K and -r options (i.e. write keys as
'required' in a .dtb file) resulted in adding a signature node with
required =3D "image" property in the dtb.

This patch allows usage of an optional argument with -r option to select
which subnodes, 'images' ones or 'configurations' ones, have to be signed
(in the second case 'images' subnodes are hashed): with '-r' or '-rimage'
the firsts are signed, while with '-rconf' the seconds; argument values
different than 'image' and 'conf' are invalid.

Example to write a key with required =3D "conf" attribute into a dtb file:

mkimage -f auto -rconf -d /dev/null -K <dtb-file> -o <algo> \
        -g <key-name-hint> -k <path-to-key-file> <dummy-itb-file>

Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
---
 tools/fit_image.c | 25 +++++++++++++++++--------
 tools/mkimage.c   | 18 ++++++++++++++----
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/tools/fit_image.c b/tools/fit_image.c
index 923a9755b7..c78d83d509 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -199,19 +199,22 @@ static void get_basename(char *str, int size, const c=
har *fname)
 }
=20
 /**
- * add_hash_node() - Add a hash or signature node
+ * add_hash_or_sign_node() - Add a hash or signature node
  *
  * @params: Image parameters
  * @fdt: Device tree to add to (in sequential-write mode)
+ * @do_add_hash: true to add hash even if key name hint is provided
  *
- * If there is a key name hint, try to sign the images. Otherwise, just ad=
d a
- * CRC.
+ * If do_add_hash is false (default) and there is a key name hint, try to =
add
+ * a sign node to parent. Otherwise, just add a CRC. Rationale: if conf ha=
ve
+ * to be signed, image/dt have to be hashed even if there is a key name hi=
nt.
  *
  * Return: 0 on success, or -1 on failure
  */
-static int add_hash_node(struct image_tool_params *params, void *fdt)
+static int add_hash_or_sig_node(struct image_tool_params *params, void *fd=
t,
+				bool do_add_hash)
 {
-	if (params->keyname) {
+	if (!do_add_hash && params->keyname) {
 		if (!params->algo_name) {
 			fprintf(stderr,
 				"%s: Algorithm name must be specified\n",
@@ -269,7 +272,7 @@ static int fit_write_images(struct image_tool_params *p=
arams, char *fdt)
 	ret =3D fdt_property_file(params, fdt, FIT_DATA_PROP, params->datafile);
 	if (ret)
 		return ret;
-	ret =3D add_hash_node(params, fdt);
+	ret =3D add_hash_or_sig_node(params, fdt, (params->require_keys =3D=3D 2)=
);
 	if (ret)
 		return ret;
 	fdt_end_node(fdt);
@@ -294,7 +297,8 @@ static int fit_write_images(struct image_tool_params *p=
arams, char *fdt)
 				    genimg_get_arch_short_name(params->arch));
 		fdt_property_string(fdt, FIT_COMP_PROP,
 				    genimg_get_comp_short_name(IH_COMP_NONE));
-		ret =3D add_hash_node(params, fdt);
+		ret =3D add_hash_or_sig_node(params, fdt,
+					   (params->require_keys =3D=3D 2));
 		if (ret)
 			return ret;
 		fdt_end_node(fdt);
@@ -314,7 +318,8 @@ static int fit_write_images(struct image_tool_params *p=
arams, char *fdt)
 					params->fit_ramdisk);
 		if (ret)
 			return ret;
-		ret =3D add_hash_node(params, fdt);
+		ret =3D add_hash_or_sig_node(params, fdt,
+					   (params->require_keys =3D=3D 2));
 		if (ret)
 			return ret;
 		fdt_end_node(fdt);
@@ -366,6 +371,8 @@ static void fit_write_configs(struct image_tool_params =
*params, char *fdt)
=20
 		snprintf(str, sizeof(str), FIT_FDT_PROP "-%d", upto);
 		fdt_property_string(fdt, FIT_FDT_PROP, str);
+		if (params->require_keys =3D=3D 2)
+			add_hash_or_sig_node(params, fdt, false);
 		fdt_end_node(fdt);
 	}
=20
@@ -378,6 +385,8 @@ static void fit_write_configs(struct image_tool_params =
*params, char *fdt)
 		if (params->fit_ramdisk)
 			fdt_property_string(fdt, FIT_RAMDISK_PROP,
 					    FIT_RAMDISK_PROP "-1");
+		if (params->require_keys =3D=3D 2)
+			add_hash_or_sig_node(params, fdt, false);
=20
 		fdt_end_node(fdt);
 	}
diff --git a/tools/mkimage.c b/tools/mkimage.c
index 30c6df7708..4d4f128b54 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -125,7 +125,7 @@ static void usage(const char *msg)
 		"          -c =3D> add comment in signature node\n"
 		"          -F =3D> re-sign existing FIT image\n"
 		"          -p =3D> place external data at a static position\n"
-		"          -r =3D> mark keys used as 'required' in dtb\n"
+		"          -r =3D> mark keys used as 'required' in dtb (-rconf for 'auto=
' FIT with signed config)\n"
 		"          -N =3D> openssl engine to use for signing\n"
 		"          -o =3D> algorithm to use for signing\n");
 #else
@@ -159,7 +159,7 @@ static int add_content(int type, const char *fname)
 }
=20
 static const char optstring[] =3D
-	"a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qrR:stT:vVx";
+	"a:A:b:B:c:C:d:D:e:Ef:Fg:G:i:k:K:ln:N:o:O:p:qr::R:stT:vVx";
=20
 static const struct option longopts[] =3D {
 	{ "load-address", required_argument, NULL, 'a' },
@@ -187,7 +187,7 @@ static const struct option longopts[] =3D {
 	{ "os", required_argument, NULL, 'O' },
 	{ "position", required_argument, NULL, 'p' },
 	{ "quiet", no_argument, NULL, 'q' },
-	{ "key-required", no_argument, NULL, 'r' },
+	{ "key-required", optional_argument, NULL, 'r' },
 	{ "secondary-config", required_argument, NULL, 'R' },
 	{ "no-copy", no_argument, NULL, 's' },
 	{ "touch", no_argument, NULL, 't' },
@@ -326,7 +326,12 @@ static void process_args(int argc, char **argv)
 			params.quiet =3D 1;
 			break;
 		case 'r':
-			params.require_keys =3D 1;
+			if (!optarg || !strcmp(optarg, "image"))
+				params.require_keys =3D 1;
+			else if (!strcmp(optarg, "conf"))
+				params.require_keys =3D 2;
+			else
+				usage("Invalid key-required option argument");
 			break;
 		case 'R':
 			/*
@@ -370,6 +375,11 @@ static void process_args(int argc, char **argv)
 	if (optind < argc)
 		params.imagefile =3D argv[optind];
=20
+	if (params.require_keys =3D=3D 2)
+		if (!params.auto_its || !params.keyname || !params.algo_name)
+			usage("Auto FIT with signed config requires -f auto "
+				"-rconf -g <key name hint> -o <algorithm>");
+
 	/*
 	 * For auto-generated FIT images we need to know the image type to put
 	 * in the FIT, which is separate from the file's image type (which
--=20
2.34.1