diff options
| author | Sean Anderson <sean.anderson@seco.com> | 2022-05-16 23:11:08 +0300 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2022-06-07 01:01:20 +0300 |
| commit | 87b0af9317cb4105f3f29cb0a4c28c7cd87ea65f (patch) | |
| tree | 34dbf5df7e5c357a8ba32c0ab3c10310c7a6f5b8 /doc | |
| parent | 5920e5c838d1b6647878e51c0b9b8c9e4eaf1928 (diff) | |
| download | u-boot-87b0af9317cb4105f3f29cb0a4c28c7cd87ea65f.tar.xz | |
mkimage: Support signing 'auto' FITs
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/mkimage.1 | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 878db90475..759dc2d12f 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -219,6 +219,13 @@ Specifies the private key file to use when signing. This option may be used instead of \-k. .TP +.BI "\-g [" "key_name_hint" "]" +Sets the key-name-hint property when used with \-f auto. This is the <name> +part of the key. The directory part is set by \-k. This option also indicates +that the images included in the FIT should be signed. If this option is +specified, \-o must be specified as well. + +.TP .BI "\-o [" "signing algorithm" "]" Specifies the algorithm to be used for signing a FIT image. The default is taken from the signature node's 'algo' property. @@ -279,6 +286,15 @@ skipping those for which keys cannot be found. Also add a comment. .fi .P +Add public keys to u-boot.dtb without needing a FIT to sign. This will also +create a FIT containing an images node with no data named unused.itb. +.nf +.B mkimage -f auto -d /dev/null -k /public/signing-keys -g dev \\\\ +.br +.B -o sha256,rsa2048 -K u-boot.dtb unused.itb +.fi + +.P Update an existing FIT image, signing it with additional keys. Add corresponding public keys into u-boot.dtb. This will resign all images with keys that are available in the new directory. Images that request signing @@ -306,6 +322,14 @@ automatic mode. No .its file is required. .B -c """Kernel 4.4 image for production devices""" -d vmlinuz \\\\ .B -b /path/to/rk3288-firefly.dtb -b /path/to/rk3288-jerry.dtb kernel.itb .fi +.P +Create a FIT image containing a signed kernel, using automatic mode. No .its +file is required. +.nf +.B mkimage -f auto -A arm -O linux -T kernel -C none -a 43e00000 -e 0 \\\\ +.br +.B -d vmlinuz -k /secret/signing-keys -g dev -o sha256,rsa2048 kernel.itb +.fi .SH HOMEPAGE http://www.denx.de/wiki/U-Boot/WebHome |