1. Article purpose[edit source]
The purpose of this article is to explain how to create a signed fit image containing kernel image and devicetree.
2. Creating signature key[edit source]
Yocto/Openembeded can create a key for signing fit image.
To create you own key, follow the command to generate
manually a new signing key.
- To generate manually a new signing key:
Create directory which receive siging key (here uboot-sign-directory for the example)
mkdir uboot-sign-directory/
Generate RSA private key for signing fitImage
openssl genrsa -F4 \ -out uboot-sign-directory/my-uboot-sign-key.key \ 2048
Generate certificate for signing fitImage
openssl req -batch -new -x509 \ -key uboot-sign-directory/my-uboot-sign-key.key \ -out uboot-sign-directory/my-uboot-sign-key.crt
3. Configuration of Machine on Distribution Package[edit source]
On the Yocto/Openembedded machine you need to specify several parameters:
- force to use fit image
- request to sign the fit image
- specify the path of signing key
3.1. Use fit image[edit source]
# to use fit image for kernel and devicetree MACHINE_FEATURES += "fit"
3.2. Use Signing FIT[edit source]
UBOOT_SIGN_ENABLE = "1"
3.3. Signing key[edit source]
if your keys are localized on a specific directory like $HOME/uboot-sign-directory (put an asbolute path)
UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"
or if you would like to use a generic path
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
For Signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
For the Distribution Pakage to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE
FIT_GENERATE_KEYS = "1"
3.4. Summary: Machine contents[edit source]
# to use fit image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
# Sign fit image
UBOOT_SIGN_ENABLE = "1"
# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
4. References[edit source]