diff options
-rw-r--r-- | doc/mkimage.1 | 20 | ||||
-rw-r--r-- | tools/fit_image.c | 18 | ||||
-rw-r--r-- | tools/mkimage.c | 9 |
3 files changed, 38 insertions, 9 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 8185ff5647..f9c733a5e6 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -10,6 +10,9 @@ mkimage \- Generate image for U-Boot .RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]" .B mkimage +.RB [\fIoptions\fP] " \-F [" "uimage file name" "]" + +.B mkimage .RB [\fIoptions\fP] " (legacy mode)" .SH "DESCRIPTION" @@ -104,6 +107,13 @@ Image tree source file that describes the structure and contents of the FIT image. .TP +.BI "\-F" +Indicates that an existing FIT image should be modified. No dtc +compilation is performed and the -f flag should not be given. +This can be used to sign images with additional keys after initial image +creation. + +.TP .BI "\-k [" "key_directory" "]" Specifies the directory containing keys to use for signing. This directory should contain a private key file <name>.key for use with signing and a @@ -144,6 +154,16 @@ skipping those for which keys cannot be found. Also add a comment. -c "Kernel 3.8 image for production devices" kernel.itb .fi +.P +Update an existing FIT image, signing it with additional keys. +Add corresponding public keys into u-boot.dtb. This will resign all images +with keys that are available in the new directory. Images that request signing +with unavailable keys are skipped. +.nf +.B mkimage -F -k /secret/signing-keys -K u-boot.dtb \\\\ +-c "Kernel 3.8 image for production devices" kernel.itb +.fi + .SH HOMEPAGE http://www.denx.de/wiki/U-Boot/WebHome .PP diff --git a/tools/fit_image.c b/tools/fit_image.c index b17fa2d6c0..645e93c346 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -124,10 +124,16 @@ static int fit_handle_file (struct mkimage_params *params) } sprintf (tmpfile, "%s%s", params->imagefile, MKIMAGE_TMPFILE_SUFFIX); - /* dtc -I dts -O dtb -p 500 datafile > tmpfile */ - sprintf (cmd, "%s %s %s > %s", - MKIMAGE_DTC, params->dtc, params->datafile, tmpfile); - debug ("Trying to execute \"%s\"\n", cmd); + /* We either compile the source file, or use the existing FIT image */ + if (params->datafile) { + /* dtc -I dts -O dtb -p 500 datafile > tmpfile */ + snprintf(cmd, sizeof(cmd), "%s %s %s > %s", + MKIMAGE_DTC, params->dtc, params->datafile, tmpfile); + debug("Trying to execute \"%s\"\n", cmd); + } else { + snprintf(cmd, sizeof(cmd), "cp %s %s", + params->imagefile, tmpfile); + } if (system (cmd) == -1) { fprintf (stderr, "%s: system(%s) failed: %s\n", params->cmdname, cmd, strerror(errno)); @@ -153,8 +159,8 @@ static int fit_handle_file (struct mkimage_params *params) goto err_add_hashes; } - /* add a timestamp at offset 0 i.e., root */ - if (fit_set_timestamp (ptr, 0, sbuf.st_mtime)) { + /* for first image creation, add a timestamp at offset 0 i.e., root */ + if (params->datafile && fit_set_timestamp(ptr, 0, sbuf.st_mtime)) { fprintf (stderr, "%s: Can't add image timestamp\n", params->cmdname); goto err_add_timestamp; diff --git a/tools/mkimage.c b/tools/mkimage.c index 376039228a..e2b82d0c5c 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -240,12 +240,14 @@ main (int argc, char **argv) case 'f': if (--argc <= 0) usage (); + params.datafile = *++argv; + /* no break */ + case 'F': /* * The flattened image tree (FIT) format * requires a flattened device tree image type */ params.type = IH_TYPE_FLATDT; - params.datafile = *++argv; params.fflag = 1; goto NXTARG; case 'k': @@ -633,14 +635,15 @@ usage () " -d ==> use image data from 'datafile'\n" " -x ==> set XIP (execute in place)\n", params.cmdname); - fprintf(stderr, " %s [-D dtc_options] -f fit-image.its fit-image\n", + fprintf(stderr, " %s [-D dtc_options] [-f fit-image.its|-F] fit-image\n", params.cmdname); fprintf(stderr, " -D => set options for device tree compiler\n" " -f => input filename for FIT source\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n" " -k => set directory containing private keys\n" - " -K => write public keys to this .dtb file\n"); + " -K => write public keys to this .dtb file\n" + " -F => re-sign existing FIT image\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif |