summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/mkimage.120
-rw-r--r--tools/fit_image.c18
-rw-r--r--tools/mkimage.c9
3 files changed, 38 insertions, 9 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1
index 8185ff5647..f9c733a5e6 100644
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -10,6 +10,9 @@ mkimage \- Generate image for U-Boot
.RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]"
.B mkimage
+.RB [\fIoptions\fP] " \-F [" "uimage file name" "]"
+
+.B mkimage
.RB [\fIoptions\fP] " (legacy mode)"
.SH "DESCRIPTION"
@@ -104,6 +107,13 @@ Image tree source file that describes the structure and contents of the
FIT image.
.TP
+.BI "\-F"
+Indicates that an existing FIT image should be modified. No dtc
+compilation is performed and the -f flag should not be given.
+This can be used to sign images with additional keys after initial image
+creation.
+
+.TP
.BI "\-k [" "key_directory" "]"
Specifies the directory containing keys to use for signing. This directory
should contain a private key file <name>.key for use with signing and a
@@ -144,6 +154,16 @@ skipping those for which keys cannot be found. Also add a comment.
-c "Kernel 3.8 image for production devices" kernel.itb
.fi
+.P
+Update an existing FIT image, signing it with additional keys.
+Add corresponding public keys into u-boot.dtb. This will resign all images
+with keys that are available in the new directory. Images that request signing
+with unavailable keys are skipped.
+.nf
+.B mkimage -F -k /secret/signing-keys -K u-boot.dtb \\\\
+-c "Kernel 3.8 image for production devices" kernel.itb
+.fi
+
.SH HOMEPAGE
http://www.denx.de/wiki/U-Boot/WebHome
.PP
diff --git a/tools/fit_image.c b/tools/fit_image.c
index b17fa2d6c0..645e93c346 100644
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -124,10 +124,16 @@ static int fit_handle_file (struct mkimage_params *params)
}
sprintf (tmpfile, "%s%s", params->imagefile, MKIMAGE_TMPFILE_SUFFIX);
- /* dtc -I dts -O dtb -p 500 datafile > tmpfile */
- sprintf (cmd, "%s %s %s > %s",
- MKIMAGE_DTC, params->dtc, params->datafile, tmpfile);
- debug ("Trying to execute \"%s\"\n", cmd);
+ /* We either compile the source file, or use the existing FIT image */
+ if (params->datafile) {
+ /* dtc -I dts -O dtb -p 500 datafile > tmpfile */
+ snprintf(cmd, sizeof(cmd), "%s %s %s > %s",
+ MKIMAGE_DTC, params->dtc, params->datafile, tmpfile);
+ debug("Trying to execute \"%s\"\n", cmd);
+ } else {
+ snprintf(cmd, sizeof(cmd), "cp %s %s",
+ params->imagefile, tmpfile);
+ }
if (system (cmd) == -1) {
fprintf (stderr, "%s: system(%s) failed: %s\n",
params->cmdname, cmd, strerror(errno));
@@ -153,8 +159,8 @@ static int fit_handle_file (struct mkimage_params *params)
goto err_add_hashes;
}
- /* add a timestamp at offset 0 i.e., root */
- if (fit_set_timestamp (ptr, 0, sbuf.st_mtime)) {
+ /* for first image creation, add a timestamp at offset 0 i.e., root */
+ if (params->datafile && fit_set_timestamp(ptr, 0, sbuf.st_mtime)) {
fprintf (stderr, "%s: Can't add image timestamp\n",
params->cmdname);
goto err_add_timestamp;
diff --git a/tools/mkimage.c b/tools/mkimage.c
index 376039228a..e2b82d0c5c 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -240,12 +240,14 @@ main (int argc, char **argv)
case 'f':
if (--argc <= 0)
usage ();
+ params.datafile = *++argv;
+ /* no break */
+ case 'F':
/*
* The flattened image tree (FIT) format
* requires a flattened device tree image type
*/
params.type = IH_TYPE_FLATDT;
- params.datafile = *++argv;
params.fflag = 1;
goto NXTARG;
case 'k':
@@ -633,14 +635,15 @@ usage ()
" -d ==> use image data from 'datafile'\n"
" -x ==> set XIP (execute in place)\n",
params.cmdname);
- fprintf(stderr, " %s [-D dtc_options] -f fit-image.its fit-image\n",
+ fprintf(stderr, " %s [-D dtc_options] [-f fit-image.its|-F] fit-image\n",
params.cmdname);
fprintf(stderr, " -D => set options for device tree compiler\n"
" -f => input filename for FIT source\n");
#ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n"
" -k => set directory containing private keys\n"
- " -K => write public keys to this .dtb file\n");
+ " -K => write public keys to this .dtb file\n"
+ " -F => re-sign existing FIT image\n");
#else
fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
#endif