Last edited one month ago

How to create Signed FIT image from Distribution package

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines


1. Article purpose

The purpose of this article is to explain how to create a signed FIT image containing a kernel image and devicetree.

Warning white.png Warning
With the current implementation on Yocto/Openembedded, the creation of a signed FIT image requires that you declare only one devicetree on the machine

2. Creating a signature key

Yocto/Openembeded can create a key for signing a FIT image.
To create your own key, follow the commands below to generate a new signing key manually.

  • To generate a new signing key manually:

Create a directory to receive the signing key (uboot-sign-directory for this example) 

mkdir uboot-sign-directory/

Generate an RSA private key for signing the fitImage: 

 openssl genrsa -F4 \
       -out  uboot-sign-directory/my-uboot-sign-key.key \
       2048

Generate a certificate for signing the fitImage: 

 openssl req -batch -new -x509 \
     -key uboot-sign-directory/my-uboot-sign-key.key \
     -out uboot-sign-directory/my-uboot-sign-key.crt

3. Machine configuration on the Distribution Package

On the Yocto/Openembedded machine you must specify several parameters:

  • force use of a FIT image
  • request to sign the FIT image
  • specify the path of the signing key


3.1. Use the FIT image

# to use the FIT image for kernel and devicetree
 MACHINE_FEATURES += "fit"

3.2. Use the Signing FIT

UBOOT_SIGN_ENABLE = "1"

3.3. Signing key

if your keys are localized in a specific directory, for example $HOME/uboot-sign-directory (put an absolute path) 

 UBOOT_SIGN_KEYDIR = "$HOME/uboot-sign-directory"

or if you use a generic path 

 UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"

For the signing key, you MUST specify the name of the key (without the extension), my-uboot-sign-key for example 

UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"

For the Distribution Package to generate the signing key, you must add the following key in addition to UBOOT_SIGN_ENABLE 

FIT_GENERATE_KEYS = "1"
UBOOT_DTB_SIGNED = ""
UBOOT_DTB_BINARY = ""

3.4. Summary: Machine contents

# to use FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "${DEPLOY_DIR_IMAGE}"
UBOOT_SIGN_KEYNAME = "my-uboot-sign-key"
# Sign FIT image
UBOOT_SIGN_ENABLE = "1"
UBOOT_DTB_SIGNED = ""
UBOOT_DTB_BINARY = ""

# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"

4. References


Retrieved from "https://wiki.stmicroelectronics.cn/stm32mpu/index.php?title=How_to_create_Signed_FIT_image_from_Distribution_package&oldid=115248"