summaryrefslogtreecommitdiff
path: root/doc/mkimage.1
diff options
context:
space:
mode:
authorSimon Glass <sjg@chromium.org>2013-06-13 15:10:04 -0700
committerTom Rini <trini@ti.com>2013-06-26 10:18:56 -0400
commite29495d37f7c0533d365004ca475218250351c93 (patch)
tree1ce4db084dea8f629a934abef35140cd79e2b127 /doc/mkimage.1
parent80e4df8ac661ada5308f3bffebe4e6fae1f8e990 (diff)
mkimage: Add -K to write public keys to an FDT blob
FIT image verification requires public keys. Add a convenient option to mkimage to write the public keys to an FDT blob when it uses then for signing an image. This allows us to use: mkimage -f test.its -K dest.dtb -k keys test.fit and have the signatures written to test.fit and the corresponding public keys written to dest.dtb. Then dest.dtb can be used as the control FDT for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the public keys it needs. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Marek Vasut <marex@denx.de>
Diffstat (limited to 'doc/mkimage.1')
-rw-r--r--doc/mkimage.116
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1
index 6740fb1061..8185ff5647 100644
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -109,6 +109,14 @@ Specifies the directory containing keys to use for signing. This directory
should contain a private key file <name>.key for use with signing and a
certificate <name>.crt (containing the public key) for use with verification.
+.TP
+.BI "\-K [" "key_destination" "]"
+Specifies a compiled device tree binary file (typically .dtb) to write
+public key information into. When a private key is used to sign an image,
+the corresponding public key is written into this file for for run-time
+verification. Typically the file here is the device tree binary used by
+CONFIG_OF_CONTROL in U-Boot.
+
.SH EXAMPLES
List image information:
@@ -127,6 +135,14 @@ Create FIT image with compressed PowerPC Linux kernel:
.nf
.B mkimage -f kernel.its kernel.itb
.fi
+.P
+Create FIT image with compressed kernel and sign it with keys in the
+/public/signing-keys directory. Add corresponding public keys into u-boot.dtb,
+skipping those for which keys cannot be found. Also add a comment.
+.nf
+.B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\
+-c "Kernel 3.8 image for production devices" kernel.itb
+.fi
.SH HOMEPAGE
http://www.denx.de/wiki/U-Boot/WebHome