One limitation of FIT is that all the data is 'inline' within it, using a
'data' property in each image node. This means that to find out what is in
the FIT it is necessary to scan the entire file. Once loaded it can be
scanned and then the images can be copied to the correct place in memory.
In SPL it can take a significant amount of time to copy images around in
memory. Also loading data that does not end up being used is wasteful. It
would be useful if the FIT were small, acting as a directory, with the
actual data stored elsewhere.
This allows SPL to load the entire FIT, without the images, then load the
images it wants later.
Add a -E option to mkimage to request that it output an 'external' FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
To make the auto-FIT feature useful we need to be able to provide a list of
device tree files on the command line for mkimage to add into the FIT. Add
support for this feature.
So far there is no support for hashing or verified boot using this method.
For those cases, a .its file must still be provided.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present, when generating a FIT, mkimage requires a .its file containing
the structure of the FIT and referring to the images to be included.
Creating the .its file is a separate step that makes it harder to use FIT.
This is not required for creating legacy images.
Often the FIT is pretty standard, consisting of an OS image, some device
tree files and a single configuration. We can handle this case automatically
and avoid needing a .its file at all.
To start with, support automatically generate the FIT using a new '-f auto'
option. Initially this only supports adding a single image (e.g. a linux
kernel) and a single configuration.
Signed-off-by: Simon Glass <sjg@chromium.org>
This will be used in mkimage when working out the required size of the FIT
based on the files to be placed into it.
Signed-off-by: Simon Glass <sjg@chromium.org>
* Escape use of - in description of -F.
* Fix line continuations in examples so that the continued lines are
also bold.
Signed-off-by: Vagrant Cascadian <vagrant@debian.org>
Normally, multiple public keys can be provided and U-Boot is not
required to use all of them for verification. This is because some
images may not be signed, or may be optionally signed.
But we still need a mechanism to determine when a key must be used.
This feature cannot be implemented in the FIT itself, since anyone
could change it to mark a key as optional. The requirement for
key verification must go in with the public keys, in a place that
is protected from modification.
Add a -r option which tells mkimage to mark all keys that it uses
for signing as 'required'.
If some keys are optional and some are required, run mkimage several
times (perhaps with different key directories if some keys are very
secret) using the -F flag to update an existing FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
When signing an image, it is useful to add some details about which tool
or person is authorising the signing. Add a comment field which can take
care of miscellaneous requirements.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
When signing images it is sometimes necessary to sign with different keys
at different times, or make the signer entirely separate from the FIT
creation to avoid needing the private keys to be publicly available in
the system.
Add a -F option so that key signing can be a separate step, and possibly
done multiple times as different keys are avaiable.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:
mkimage -f test.its -K dest.dtb -k keys test.fit
and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
Keys required for signing images will be in a specific directory. Add a
-k option to specify that directory.
Also update the mkimage man page with this information and a clearer list
of available commands.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)
By default, "-" chars are interpreted as hyphens (U+2010) by groff, not
as minus signs (U+002D). Since options to programs use minus signs
(U+002D), this means for example in UTF-8 locales that you cannot cut
and paste options, nor search for them easily.
(Reported by lintian.)
Signed-off-by: Loc Minier <loic.minier@linaro.org>
Some Linux distributions include the "mkimage" as a package.
This commit provides a manual page for mkimage.
Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Added documentation for FIT images and examples.
Moved to doc/ directory.
Signed-off-by: Wolfgang Denk <wd@denx.de>