u-boot/doc/mkimage.1
Simon Glass e29495d37f mkimage: Add -K to write public keys to an FDT blob
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:

   mkimage -f test.its -K dest.dtb -k keys test.fit

and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
2013-06-26 10:18:56 -04:00

153 lines
3.9 KiB
Groff

.TH MKIMAGE 1 "2010-05-16"
.SH NAME
mkimage \- Generate image for U-Boot
.SH SYNOPSIS
.B mkimage
.RB "\-l [" "uimage file name" "]"
.B mkimage
.RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]"
.B mkimage
.RB [\fIoptions\fP] " (legacy mode)"
.SH "DESCRIPTION"
The
.B mkimage
command is used to create images for use with the U-Boot boot loader.
These images can contain the linux kernel, device tree blob, root file
system image, firmware images etc., either separate or combined.
.B mkimage
supports two different formats:
The old
.I legacy image
format concatenates the individual parts (for example, kernel image,
device tree blob and ramdisk image) and adds a 64 bytes header
containing information about target architecture, operating system,
image type, compression method, entry points, time stamp, checksums,
etc.
The new
.I FIT (Flattened Image Tree) format
allows for more flexibility in handling images of various types and also
enhances integrity protection of images with stronger checksums. It also
supports verified boot.
.SH "OPTIONS"
.B List image information:
.TP
.BI "\-l [" "uimage file name" "]"
mkimage lists the information contained in the header of an existing U-Boot image.
.P
.B Create old legacy image:
.TP
.BI "\-A [" "architecture" "]"
Set architecture. Pass \-h as the architecture to see the list of supported architectures.
.TP
.BI "\-O [" "os" "]"
Set operating system. bootm command of u-boot changes boot method by os type.
Pass \-h as the OS to see the list of supported OS.
.TP
.BI "\-T [" "image type" "]"
Set image type.
Pass \-h as the image to see the list of supported image type.
.TP
.BI "\-C [" "compression type" "]"
Set compression type.
Pass \-h as the compression to see the list of supported compression type.
.TP
.BI "\-a [" "load addess" "]"
Set load address with a hex number.
.TP
.BI "\-e [" "entry point" "]"
Set entry point with a hex number.
.TP
.BI "\-l"
List the contents of an image.
.TP
.BI "\-n [" "image name" "]"
Set image name to 'image name'.
.TP
.BI "\-d [" "image data file" "]"
Use image data from 'image data file'.
.TP
.BI "\-x"
Set XIP (execute in place) flag.
.P
.B Create FIT image:
.TP
.BI "\-D [" "dtc options" "]"
Provide special options to the device tree compiler that is used to
create the image.
.TP
.BI "\-f [" "image tree source file" "]"
Image tree source file that describes the structure and contents of the
FIT image.
.TP
.BI "\-k [" "key_directory" "]"
Specifies the directory containing keys to use for signing. This directory
should contain a private key file <name>.key for use with signing and a
certificate <name>.crt (containing the public key) for use with verification.
.TP
.BI "\-K [" "key_destination" "]"
Specifies a compiled device tree binary file (typically .dtb) to write
public key information into. When a private key is used to sign an image,
the corresponding public key is written into this file for for run-time
verification. Typically the file here is the device tree binary used by
CONFIG_OF_CONTROL in U-Boot.
.SH EXAMPLES
List image information:
.nf
.B mkimage -l uImage
.fi
.P
Create legacy image with compressed PowerPC Linux kernel:
.nf
.B mkimage -A powerpc -O linux -T kernel -C gzip \\\\
.br
.B -a 0 -e 0 -n Linux -d vmlinux.gz uImage
.fi
.P
Create FIT image with compressed PowerPC Linux kernel:
.nf
.B mkimage -f kernel.its kernel.itb
.fi
.P
Create FIT image with compressed kernel and sign it with keys in the
/public/signing-keys directory. Add corresponding public keys into u-boot.dtb,
skipping those for which keys cannot be found. Also add a comment.
.nf
.B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\
-c "Kernel 3.8 image for production devices" kernel.itb
.fi
.SH HOMEPAGE
http://www.denx.de/wiki/U-Boot/WebHome
.PP
.SH AUTHOR
This manual page was written by Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
and Wolfgang Denk <wd@denx.de>. It was updated for image signing by
Simon Glass <sjg@chromium.org>.