1 files changed, 29 insertions, 7 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 861b04eaab..5b5eaccc2a 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -3170,13 +3170,35 @@ system and gives an overview of their function and contents.
      :ref:`ref-classes-kernel-fitimage` class.
   :term:`FIT_SIGN_INDIVIDUAL`
-      If set to "1", then the :ref:`ref-classes-kernel-fitimage`
+      If set to "1", the :ref:`ref-classes-kernel-fitimage` class signs each
-      class will sign the kernel, dtb and ramdisk images individually in addition
+      image node individually, including the kernel, DTB, RAM disk, and any
-      to signing the FIT image itself. This could be useful if you are
+      other image types present in the FIT image, in addition to signing the
-      intending to verify signatures in another context than booting via
+      configuration nodes.
-      U-Boot.
+      This can be useful if you need to verify signatures outside of the
+      U-Boot boot process. By default, this variable is set to "0".
-      This variable is set to "0" by default.
+      If :term:`UBOOT_SIGN_ENABLE` is set to "1" and
+      :term:`FIT_SIGN_INDIVIDUAL` remains at its default value of "0", only the
+      configuration nodes are signed. Since configuration nodes include hashes
+      of their referenced image nodes, the integrity of the entire FIT image is
+      ensured as long as the image nodes are loaded via the configuration nodes
+      and the hashes of the image nodes are checked. That's usually the case.
+      Enabling :term:`FIT_SIGN_INDIVIDUAL` typically increases complexity for
+      little benefit. There might be exceptions such as image nodes that are
+      not referenced by any configuration node or loaded directly for whatever
+      reason.
+      For most use cases, setting this variable to "0" provides sufficient
+      security.
+      For further details, refer to the official U-Boot documentation:
+      `U-Boot fit signature <https://docs.u-boot.org/en/latest/usage/fit/signature.html>`__
+      and more specifically at:
+      `U-Boot signed configurations <https://docs.u-boot.org/en/latest/usage/fit/signature.html#signed-configurations>`__.
+      Signing only the image nodes is intentionally not implemented by
+      :term:`OpenEmbedded-Core (OE-Core)`, as it is vulnerable to mix-and-match
+      attacks.
   :term:`FIT_SIGN_NUMBITS`
      Size of the private key used in the FIT image, in number of bits.

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 861b04eaab..5b5eaccc2a 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -3170,13 +3170,35 @@ system and gives an overview of their function and contents.
3170	:ref:`ref-classes-kernel-fitimage` class.	3170	:ref:`ref-classes-kernel-fitimage` class.
3171		3171
3172	:term:`FIT_SIGN_INDIVIDUAL`	3172	:term:`FIT_SIGN_INDIVIDUAL`
3173	If set to "1", then the :ref:`ref-classes-kernel-fitimage`	3173	If set to "1", the :ref:`ref-classes-kernel-fitimage` class signs each
3174	class will sign the kernel, dtb and ramdisk images individually in addition	3174	image node individually, including the kernel, DTB, RAM disk, and any
3175	to signing the FIT image itself. This could be useful if you are	3175	other image types present in the FIT image, in addition to signing the
3176	intending to verify signatures in another context than booting via	3176	configuration nodes.
3177	U-Boot.	3177	This can be useful if you need to verify signatures outside of the
3178		3178	U-Boot boot process. By default, this variable is set to "0".
3179	This variable is set to "0" by default.	3179
		3180	If :term:`UBOOT_SIGN_ENABLE` is set to "1" and
		3181	:term:`FIT_SIGN_INDIVIDUAL` remains at its default value of "0", only the
		3182	configuration nodes are signed. Since configuration nodes include hashes
		3183	of their referenced image nodes, the integrity of the entire FIT image is
		3184	ensured as long as the image nodes are loaded via the configuration nodes
		3185	and the hashes of the image nodes are checked. That's usually the case.
		3186
		3187	Enabling :term:`FIT_SIGN_INDIVIDUAL` typically increases complexity for
		3188	little benefit. There might be exceptions such as image nodes that are
		3189	not referenced by any configuration node or loaded directly for whatever
		3190	reason.
		3191	For most use cases, setting this variable to "0" provides sufficient
		3192	security.
		3193
		3194	For further details, refer to the official U-Boot documentation:
		3195	`U-Boot fit signature <https://docs.u-boot.org/en/latest/usage/fit/signature.html>`__
		3196	and more specifically at:
		3197	`U-Boot signed configurations <https://docs.u-boot.org/en/latest/usage/fit/signature.html#signed-configurations>`__.
		3198
		3199	Signing only the image nodes is intentionally not implemented by
		3200	:term:`OpenEmbedded-Core (OE-Core)`, as it is vulnerable to mix-and-match
		3201	attacks.
3180		3202
3181	:term:`FIT_SIGN_NUMBITS`	3203	:term:`FIT_SIGN_NUMBITS`
3182	Size of the private key used in the FIT image, in number of bits.	3204	Size of the private key used in the FIT image, in number of bits.