1. Article purpose[edit | edit source]
The purpose of this article is to explain how to create a signed FIT image containing a kernel image and devicetree.
2. Creating a signature key[edit | edit source]
Yocto/Openembeded can create a key for signing a FIT image.
To create your own key, follow the commands below to generate a new signing key manually.
- To generate a new signing key manually:
Create a directory to receive the signing key (uboot-sign-directory for this example)
mkdir uboot-sign-directory/
Generate an RSA private key for signing the fitImage:
openssl genrsa -F4 \
-out uboot-sign-directory/my-uboot-sign-key.key \
2048
Generate a certificate for signing the fitImage:
openssl req -batch -new -x509 \
-key uboot-sign-directory/my-uboot-sign-key.key \
-out uboot-sign-directory/my-uboot-sign-key.crt
3. Machine configuration on the Distribution Package[edit | edit source]
On the Yocto/Openembedded machine you must specify several parameters:
- force use of a FIT image
- request to sign the FIT image
- specify the path of the signing key
3.1. Use the FIT image[edit | edit source]
# to use the FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
3.2. Use the Signing FIT[edit | edit source]
UBOOT_SIGN_ENABLE = "1"
3.3. Signing key[edit | edit source]
if your keys are localized in a specific directory, for example $HOME/uboot-sign-directory (put an absolute path)
UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"
or if you use a generic path
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
For the signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
For the Distribution Package to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE
FIT_GENERATE_KEYS = "1"
3.4. Summary: Machine contents[edit | edit source]
# to use FIT image for kernel and devicetree MACHINE_FEATURES += "fit" #signing key UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}" UBOOT_SIGN_KEYNAME = "my-uboot-sign-key" # Sign FIT image UBOOT_SIGN_ENABLE = "1" # generate new signing key if not exist FIT_GENERATE_KEYS = "1" # Uboot mkimage option UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
4. References[edit | edit source]