How to create Signed FIT image from Distribution package

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Applicable for

STM32MP13x lines, STM32MP15x lines

1 Article purpose[edit source]

The purpose of this article is to explain how to create a signed FIT image containing a kernel image and devicetree.

Warning

With the current implementation on Yocto/Openembedded, the creation of a signed FIT image requires that you declare only one devicetree on the machine

2 Creating a signature key[edit source]

Yocto/Openembeded can create a key for signing a FIT image.
To create your own key, follow the commands below to generate a new signing key manually.

To generate a new signing key manually:

Create a directory to receive the signing key (uboot-sign-directory for this example)

mkdir uboot-sign-directory/

Generate an RSA private key for signing the fitImage:

 openssl genrsa -F4 \
       -out  uboot-sign-directory/my-uboot-sign-key.key \
       2048

Generate a certificate for signing the fitImage:

 openssl req -batch -new -x509 \
     -key uboot-sign-directory/my-uboot-sign-key.key \
     -out uboot-sign-directory/my-uboot-sign-key.crt

3 Machine configuration on the Distribution Package[edit source]

On the Yocto/Openembedded machine you must specify several parameters:

force use of a FIT image
request to sign the FIT image
specify the path of the signing key

3.1 Use the FIT image[edit source]

# to use the FIT image for kernel and devicetree
 MACHINE_FEATURES += "fit"

3.2 Use the Signing FIT[edit source]

UBOOT_SIGN_ENABLE = "1"

3.3 Signing key[edit source]

if your keys are localized in a specific directory, for example $HOME/uboot-sign-directory (put an absolute path)

 UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"

or if you use a generic path

 UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"

For the signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example

UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"

For the Distribution Package to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE

FIT_GENERATE_KEYS = "1"

3.4 Summary: Machine contents[edit source]

# to use FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
# Sign FIT image
UBOOT_SIGN_ENABLE = "1"
# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"