Last edited one month ago

How to create Signed FIT image from Distribution package

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines


1. Article purpose[edit | edit source]

The purpose of this article is to explain how to create a signed FIT image containing a kernel image and devicetree.

Warning white.png Warning
With the current implementation on Yocto/Openembedded, the creation of a signed FIT image requires that you declare only one devicetree on the machine

2. Creating a signature key[edit | edit source]

Yocto/Openembeded can create a key for signing a FIT image.
To create your own key, follow the commands below to generate a new signing key manually.

  • To generate a new signing key manually:

Create a directory to receive the signing key (uboot-sign-directory for this example)

mkdir uboot-sign-directory/

Generate an RSA private key for signing the fitImage:

 openssl genrsa -F4 \
       -out  uboot-sign-directory/my-uboot-sign-key.key \
       2048

Generate a certificate for signing the fitImage:

 openssl req -batch -new -x509 \
     -key uboot-sign-directory/my-uboot-sign-key.key \
     -out uboot-sign-directory/my-uboot-sign-key.crt

3. Machine configuration on the Distribution Package[edit | edit source]

On the Yocto/Openembedded machine you must specify several parameters:

  • force use of a FIT image
  • request to sign the FIT image
  • specify the path of the signing key


3.1. Use the FIT image[edit | edit source]

# to use the FIT image for kernel and devicetree
 MACHINE_FEATURES += "fit"

3.2. Use the Signing FIT[edit | edit source]

UBOOT_SIGN_ENABLE = "1"

3.3. Signing key[edit | edit source]

if your keys are localized in a specific directory, for example $HOME/uboot-sign-directory (put an absolute path)

 UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"

or if you use a generic path

 UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"

For the signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example

UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"

For the Distribution Package to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE

FIT_GENERATE_KEYS = "1"

3.4. Summary: Machine contents[edit | edit source]

# to use FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
# Sign FIT image
UBOOT_SIGN_ENABLE = "1"
# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"


4. References[edit | edit source]