I have board with arm-proccessor, that uses u-boot to load firmwares. I load firmware as Squashfs, but I want to make sure, that no one would be able to load their own firmwares, so I want to some how sign my squashfs file and check its signature in u-boot. Are there any standart ways to do it? Does squashfs supports signatures "out-of-box"? Or can I add my signature to the end of squshfs-file?
A solution to this would be to leverage the verified boot functionality of FIT images, and have your squashfs be contained with the FIT image, along with the kernel and device tree files. Then you can ensure they have the signatures that you want before booting, and also disable support for booting unsigned images.