How to create Signed FIT image from Distribution package

Revision as of 09:19, 25 October 2022 by Registered User
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Applicable for STM32MP13x lines, STM32MP15x lines

1 Article purpose[edit]

The purpose of this article is to explain how to create a signed FIT image containing a kernel image and devicetree.

Warning white.png Warning
With the current implementation on Yocto/Openembedded, the creation of a signed FIT image requires that you declare only one devicetree on the machine

2 Creating a signature key[edit]

Yocto/Openembeded can create a key for signing a FIT image.
To create your own key, follow the commands below to generate a new signing key manually.

  • To generate a new signing key manually:

Create a directory to receive the signing key (uboot-sign-directory for this example)

mkdir uboot-sign-directory/

Generate an RSA private key for signing the fitImage:

 openssl genrsa -F4 \
       -out  uboot-sign-directory/my-uboot-sign-key.key \
       2048

Generate a certificate for signing the fitImage:

 openssl req -batch -new -x509 \
     -key uboot-sign-directory/my-uboot-sign-key.key \
     -out uboot-sign-directory/my-uboot-sign-key.crt

3 Machine configuration on the Distribution Package[edit]

On the Yocto/Openembedded machine you must specify several parameters:

  • force use of a FIT image
  • request to sign the FIT image
  • specify the path of the signing key


3.1 Use the FIT image[edit]

# to use the FIT image for kernel and devicetree
 MACHINE_FEATURES += "fit"

3.2 Use the Signing FIT[edit]

UBOOT_SIGN_ENABLE = "1"

3.3 Signing key[edit]

if your keys are localized in a specific directory, for example $HOME/uboot-sign-directory (put an absolute path)

 UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"

or if you use a generic path

 UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"

For the signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example

UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"

For the Distribution Package to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE

FIT_GENERATE_KEYS = "1"

3.4 Summary: Machine contents[edit]

# to use FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
# Sign FIT image
UBOOT_SIGN_ENABLE = "1"
# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"


4 References[edit]