diff --git a/doc/mkimage.1 b/doc/mkimage.1
index b67a35178a0fec45521e27e8242216213df1f0a5..14374da88af0fff839ce105f5e25e9849e7baec9 100644
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -133,6 +133,12 @@ the corresponding public key is written into this file for for run-time
 verification. Typically the file here is the device tree binary used by
 CONFIG_OF_CONTROL in U-Boot.
 
+.TP
+.BI "\-r
+Specifies that keys used to sign the FIT are required. This means that they
+must be verified for the image to boot. Without this option, the verification
+will be optional (useful for testing but not for release).
+
 .SH EXAMPLES
 
 List image information:
diff --git a/tools/fit_image.c b/tools/fit_image.c
index d48f571b0f961b8ef27e8f21c4b501a3501adfc8..281c2bda13a26e6a73dbd8619feccee869344b2e 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -152,10 +152,11 @@ static int fit_handle_file (struct mkimage_params *params)
 		goto err_mmap;
 
 	/* set hashes for images in the blob */
-	if (fit_add_verification_data(params->keydir, dest_blob, ptr,
-				      params->comment, 0)) {
-		fprintf (stderr, "%s Can't add hashes to FIT blob",
-			 params->cmdname);
+	if (fit_add_verification_data(params->keydir,
+				      dest_blob, ptr, params->comment,
+				      params->require_keys)) {
+		fprintf(stderr, "%s Can't add hashes to FIT blob\n",
+			params->cmdname);
 		goto err_add_hashes;
 	}
 
diff --git a/tools/mkimage.c b/tools/mkimage.c
index b3b45a47a3f14e79c9f5213ad57e9d800ec19965..d312844e9c303abf66592ff3b4e1aa7b5efa2533 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -270,6 +270,9 @@ main (int argc, char **argv)
 					usage ();
 				params.imagename = *++argv;
 				goto NXTARG;
+			case 'r':
+				params.require_keys = 1;
+				break;
 			case 'R':
 				if (--argc <= 0)
 					usage();
@@ -645,11 +648,12 @@ usage ()
 	fprintf(stderr, "          -D => set options for device tree compiler\n"
 			"          -f => input filename for FIT source\n");
 #ifdef CONFIG_FIT_SIGNATURE
-	fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>]\n"
+	fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]\n"
 			"          -k => set directory containing private keys\n"
 			"          -K => write public keys to this .dtb file\n"
 			"          -c => add comment in signature node\n"
-			"          -F => re-sign existing FIT image\n");
+			"          -F => re-sign existing FIT image\n"
+			"          -r => mark keys used as 'required' in dtb\n");
 #else
 	fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
 #endif
diff --git a/tools/mkimage.h b/tools/mkimage.h
index ab8baf8f056fdde53fe107feb16d2127c4366a4b..1d9984e1a3dd36c9e3f9ea147a641c79ede128f2 100644
--- a/tools/mkimage.h
+++ b/tools/mkimage.h
@@ -90,6 +90,7 @@ struct mkimage_params {
 	const char *keydir;	/* Directory holding private keys */
 	const char *keydest;	/* Destination .dtb for public key */
 	const char *comment;	/* Comment to add to signature node */
+	int require_keys;	/* 1 to mark signing keys as 'required' */
 };
 
 /*