diff options
author | Brian Woods | 2021-07-19 15:28:27 -0700 |
---|---|---|
committer | Stefano Stabellini | 2021-07-19 17:08:00 -0700 |
commit | 2845ebb71c017cac08563c953bca26e48daa17e2 (patch) | |
tree | 9db9645e895e6fcb135ebe3392896f2cd96a248e /README.md | |
parent | 13016833786fb07b121cb881c0d6663d91c4a0a2 (diff) |
Add FIT signature support
Add support for signing FIT images.
Signed-off-by: Brian Woods <brian.woods@xilinx.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 23 |
1 files changed, 23 insertions, 0 deletions
@@ -117,6 +117,29 @@ Where:\ produces a standard style of fit image without a script, but has issues with dom0less configurations and isn't recommended. \ -o specifies the output filename for the uboot script and its source.\ +-k specifies the key directory for signing images in a FIT image and the + hint. The hint is the name of the crt and key files minus the + suffix (<hint>.key, <hint>.crt). This is optional and but enables + signature for the fit or fit_std -t options.\ +-u specifies the U-boot control dtb. This is an optional argument but + can only be used in combination with the -k option. This adds the + public key into the dtb. Then one can add this dtb back into the + u-boot bin or elf.\ + +### Signed FIT images + +Signed FIT images are a way to sign images with asymmetrical keys. While +making the FIT image, images are signed with a private key; then during +boot U-Boot uses a public key in its control dtb to verify the +signatures. Some of the U-Boot config options needed are: +CONFIG_FIT_SIGNATURE=y\ +CONFIG_RSA=y\ +CONFIG_LEGACY_IMAGE_FORMAT=n\ + +Once U-boot is built, then take the control dtb, supply it to +Imagebuilder when building a signed image, then use it when booting. +For generating the keys and other documentation, see:\ +u-boot/doc/uImage.FIT/signature.txt\ ## scripts/disk\_image |