-
Notifications
You must be signed in to change notification settings - Fork 2
rkraevskiy/ubootpubkey
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
==================== Ubpubkey was created to separate u-boot compilation from FIT image generation and signing. The following steps can be used with ubpubkey: 1. keys generation 2. u-boot compilation with embedded RSA public key 3. FIT image generation 4. FIT image signing This schema is more flexible: no need to have private keys for compilation and images generation. ==================== Keys generation Generate a private key: openssl genrsa -out keys/uboot_sign_key.key 4096 Generate public key from private key: openssl req -batch -new -x509 -key keys/uboot_sign_key.key -out keys/uboot_sign_key.crt ==================== U-boot compilation create an u-boot DTS uboot-dts/u-boot.dts with key entry like below: /dts-v1/; / { model ="Keys"; compatible ="vendor,board"; signature { key-my_key { required ="conf"; algo ="sha1,rsa4096"; key-name-hint ="uboot_sign_key"; #include "u-boot-pubkey.dtsi" }; }; }; Generate an u-boot dts include file with public key information: ubpubkey.py keys/uboot_sign_key.crt uboot-dts/u-boot-pubkey.dtsi Generate an u-boot dts file with public key information: cpp -P -x assembler-with-cpp -Iuboot-dts -nostdinc -undef -D__DTS__ uboot-dts/u-boot.dts -o out/u-boot.dts Use the out/u-boot.dts during an u-boot image generation. ==================== FIT image generation Create a file fitImage.its with content like below: /dts-v1/; / { description ="fitImage for Foo"; images { kernel@1 { description ="Linux kernel"; data = /incbin/("foo/zImage"); type ="kernel"; arch ="arm"; os ="linux"; compression ="none"; load = <0x10008000>; entry = <0x10008000>; hash-1 { algo = "sha256"; }; }; fdt@1 { description ="DTB for Foo"; data = /incbin/("foo/foo.dtb"); type ="flat_dt"; arch ="arm"; compression ="none"; hash-1 { algo = "sha256"; }; }; }; configurations { default="conf@1"; conf@1{ kernel ="kernel@1"; fdt ="fdt@1"; signature@1 { algo ="sha256,rsa4096"; key-name-hint ="uboot_sign_key"; sign-images = "fdt", "kernel"; }; }; }; }; Generate a FIT image with (no signature inside): mkimage -f fitImage.its -r out/fitImage ==================== Sign the FIT image mkimage -F -k keys/ -r out/fitImage
About
Script to generate RSA public key information for u-boot
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published