From patchwork Thu May 11 16:11:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 23826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B4DDC77B7C for ; Thu, 11 May 2023 16:11:57 +0000 (UTC) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by mx.groups.io with SMTP id smtpd.web10.673.1683821513839855054 for ; Thu, 11 May 2023 09:11:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=HjavKKQ6; spf=pass (domain: bootlin.com, ip: 217.70.183.199, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 3E1C4FF812; Thu, 11 May 2023 16:11:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1683821511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=BGlCkVsWn8eFbrVkSK/d5FHsgXSCXgeiwQQ6zvXTo/s=; b=HjavKKQ68GgAzj0/Beukr7JSbVzlf5I/6Owq5xO8Pq0Cm/qGwLomgqgKPKVbLdVYz55KA+ ZDyl9g/Q5AZ2v3IfVuqomHktB2+usdQbyS3swN20BEZtfFgt0rD6EBLISOyrxXN5pVHAiy hRK3RWKF47gpKt7r1UtW2mye+Mk63J5lujRhYXalSYktaeVCZIXZmOXIsl4AE5kmSlZxxY APj0GTxHlbNtD+rKxn48VuGrqVFQmDoxzlWIIvoCML+R8L3Cz2i144Ik9lUqOa2aHRDUfC rduz/N8lLwGxX39aU0wfgR3F50SAKLszcRMB0KFJAhTHUcSUv/ewzHSmC606AQ== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: Michael Opdenacker , Jamin Lin , Sean Anderson Subject: [PATCH 1/2] ref-manual: improve description of kernel-fitimage variables Date: Thu, 11 May 2023 18:11:39 +0200 Message-Id: <20230511161140.2387483-1-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 May 2023 16:11:57 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3931 From: Michael Opdenacker - Mentioning that they are related to this class (for further information about their usage) - Replace "fitImage" by "FIT image" - Minor formating and style fixes Signed-off-by: Michael Opdenacker CC: Jamin Lin CC: Sean Anderson --- documentation/ref-manual/classes.rst | 4 +- documentation/ref-manual/variables.rst | 105 ++++++++++++++++--------- 2 files changed, 68 insertions(+), 41 deletions(-) diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 94b6a3ebd7..2f96ffb82f 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -1582,13 +1582,13 @@ The :ref:`ref-classes-kernel-devicetree` class, which is inherited by the =================== The :ref:`ref-classes-kernel-fitimage` class provides support to pack a kernel image, -device trees, a U-boot script, a :term:`Initramfs` bundle and a RAM disk +device trees, a U-boot script, an :term:`Initramfs` bundle and a RAM disk into a single FIT image. In theory, a FIT image can support any number of kernels, U-boot scripts, :term:`Initramfs` bundles, RAM disks and device-trees. However, :ref:`ref-classes-kernel-fitimage` currently only supports limited usecases: just one kernel image, an optional U-boot script, an optional :term:`Initramfs` bundle, an optional RAM disk, and any number of -device tree. +device trees. To create a FIT image, it is required that :term:`KERNEL_CLASSES` is set to include ":ref:`ref-classes-kernel-fitimage`" and :term:`KERNEL_IMAGETYPE` diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 4b69843d4d..b7d3c05ce2 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -2921,9 +2921,8 @@ system and gives an overview of their function and contents. table file, examine the existing ``fs-perms.txt``. :term:`FIT_ADDRESS_CELLS` - Specifies the value of the ``#address-cells`` value for the - description of the kernel FIT image. + description of the FIT image. The default value is set to "1" by the :ref:`ref-classes-kernel-fitimage` class, which corresponds to 32 bit addresses. @@ -2941,67 +2940,82 @@ system and gives an overview of their function and contents. See `more details about #address-cells `__. :term:`FIT_CONF_DEFAULT_DTB` - Specifies the default device tree binary (dtb) file for a fitImage when - multiple are provided. + Specifies the default device tree binary (dtb) file for a FIT image + when multiple ones are provided. + + This variable is used in the :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_DESC` - Specifies the description string encoded into a fitImage. The default - value is set by the :ref:`ref-classes-kernel-fitimage` - class as follows:: + Specifies the description string encoded into a FIT image. The + default value is set by the :ref:`ref-classes-kernel-fitimage` class as + follows:: FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" :term:`FIT_GENERATE_KEYS` - Decides whether to generate the keys for signing fitImage if they - don't already exist. The keys are created in :term:`UBOOT_SIGN_KEYDIR`. - The default value is 0. + Decides whether to generate the keys for signing the FIT image if + they don't already exist. The keys are created in + :term:`UBOOT_SIGN_KEYDIR`. The default value is set to "0" + by the :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_HASH_ALG` - Specifies the hash algorithm used in creating the FIT Image. For e.g. sha256. + Specifies the hash algorithm used in creating the FIT Image. + This variable is set by default to "sha256" by the + :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_KERNEL_COMP_ALG` - Compression algorithm to use for the kernel image inside the FIT Image. + The compression algorithm to use for the kernel image inside the FIT Image. At present, the only supported values are "gzip" (default), "lzo" or "none". If you set this variable to anything other than "none" you may also need to set :term:`FIT_KERNEL_COMP_ALG_EXTENSION`. + This variable is used in the :ref:`ref-classes-kernel-uboot` class. + :term:`FIT_KERNEL_COMP_ALG_EXTENSION` File extension corresponding to :term:`FIT_KERNEL_COMP_ALG`. The default - value is ".gz". If you set :term:`FIT_KERNEL_COMP_ALG` to "lzo", - you may want to set this variable to ".lzo". + value is set ".gz" by the :ref:`ref-classes-kernel-uboot` class. If you + set :term:`FIT_KERNEL_COMP_ALG` to "lzo", you may want to set this + variable to ".lzo". :term:`FIT_KEY_GENRSA_ARGS` - Arguments to openssl genrsa for generating RSA private key for signing - fitImage. The default value is "-F4". i.e. the public exponent 65537 to - use. + Arguments to ``openssl genrsa`` for generating a RSA private key for + signing the FIT image. The default value is set to "-F4" by the + :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_KEY_REQ_ARGS` - Arguments to openssl req for generating certificate for signing fitImage. - The default value is "-batch -new". batch for non interactive mode - and new for generating new keys. + Arguments to ``openssl req`` for generating a certificate for signing + the FIT image. The default value is "-batch -new" by the + :ref:`ref-classes-kernel-fitimage` class, "batch" for + non interactive mode and "new" for generating new keys. :term:`FIT_KEY_SIGN_PKCS` - Format for public key certificate used in signing fitImage. - The default value is "x509". + Format for the public key certificate used for signing the FIT image. + The default value is set to "x509" by the + :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_SIGN_ALG` Specifies the signature algorithm used in creating the FIT Image. - For e.g. rsa2048. + This variable is set by default to "rsa2048" by the + :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_PAD_ALG` Specifies the padding algorithm used in creating the FIT Image. - The default value is "pkcs-1.5". + The default value is set to "pkcs-1.5" by the + :ref:`ref-classes-kernel-fitimage` class. :term:`FIT_SIGN_INDIVIDUAL` If set to "1", then the :ref:`ref-classes-kernel-fitimage` class will sign the kernel, dtb and ramdisk images individually in addition - to signing the fitImage itself. This could be useful if you are + to signing the FIT image itself. This could be useful if you are intending to verify signatures in another context than booting via U-Boot. + This variable is set to "0" by default. + :term:`FIT_SIGN_NUMBITS` - Size of private key in number of bits used in fitImage. The default - value is "2048". + Size of the private key used in the FIT image, in number of bits. + The default value for this variable is set to "2048" + by the :ref:`ref-classes-kernel-fitimage` class. :term:`FONT_EXTRA_RDEPENDS` When inheriting the :ref:`ref-classes-fontcache` class, @@ -4396,7 +4410,7 @@ system and gives an overview of their function and contents. :ref:`ref-classes-kernel` class should inherit. You typically append this variable to enable extended image types. An example is ":ref:`ref-classes-kernel-fitimage`", which enables - fitImage support and resides in ``meta/classes-recipe/kernel-fitimage.bbclass``. + FIT image support and resides in ``meta/classes-recipe/kernel-fitimage.bbclass``. You can register custom kernel image types with the :ref:`ref-classes-kernel` class using this variable. @@ -9094,6 +9108,11 @@ system and gives an overview of their function and contents. To pass a 64 bit address for FIT image creation, you will need to set the :term:`FIT_ADDRESS_CELLS` variable too. + This variable is used by the :ref:`ref-classes-kernel-fitimage`, + :ref:`ref-classes-kernel-uimage`, :ref:`ref-classes-kernel`, + :ref:`ref-classes-uboot-config` and :ref:`ref-classes-uboot-sign` + classes. + :term:`UBOOT_LOCALVERSION` Appends a string to the name of the local version of the U-Boot image. For example, assuming the version of the U-Boot image built @@ -9122,11 +9141,13 @@ system and gives an overview of their function and contents. script or function if desired. The default is "uboot-mkimage". :term:`UBOOT_MKIMAGE_DTCOPTS` - Options for the device tree compiler passed to mkimage '-D' feature while - creating FIT image in :ref:`ref-classes-kernel-fitimage` class. If - :term:`UBOOT_MKIMAGE_DTCOPTS` is not set then - :ref:`ref-classes-kernel-fitimage` will not pass the ``-D`` option to - mkimage. + Options for the device tree compiler passed to ``mkimage -D`` feature + while creating a FIT image with the :ref:`ref-classes-kernel-fitimage` + class. If :term:`UBOOT_MKIMAGE_DTCOPTS` is not set then the + :ref:`ref-classes-kernel-fitimage` class will not pass the ``-D`` option + to ``mkimage``. + + This variable is also used by the :ref:`ref-classes-uboot-sign` class. :term:`UBOOT_MKIMAGE_KERNEL_TYPE` Specifies the type argument for the kernel as passed to ``uboot-mkimage``. @@ -9159,15 +9180,21 @@ system and gives an overview of their function and contents. :term:`UBOOT_SIGN_ENABLE` Enable signing of FIT image. The default value is "0". + This variable is used by the :ref:`ref-classes-kernel-fitimage`, + :ref:`ref-classes-uboot-config` and :ref:`ref-classes-uboot-sign` + classes. + :term:`UBOOT_SIGN_KEYDIR` - Location of the directory containing the RSA key and - certificate used for signing FIT image. + Location of the directory containing the RSA key and certificate used for + signing FIT image, used by the :ref:`ref-classes-kernel-fitimage` and + :ref:`ref-classes-uboot-sign` classes. :term:`UBOOT_SIGN_KEYNAME` - The name of keys used for signing U-Boot FIT image stored in - :term:`UBOOT_SIGN_KEYDIR` directory. For e.g. dev.key key and dev.crt - certificate stored in :term:`UBOOT_SIGN_KEYDIR` directory will have - :term:`UBOOT_SIGN_KEYNAME` set to "dev". + The name of keys used by the :ref:`ref-classes-kernel-fitimage` class + for signing U-Boot FIT image stored in the :term:`UBOOT_SIGN_KEYDIR` + directory. If we have for example a ``dev.key`` key and a ``dev.crt`` + certificate stored in the :term:`UBOOT_SIGN_KEYDIR` directory, you will + have to set :term:`UBOOT_SIGN_KEYNAME` to ``dev``. :term:`UBOOT_SUFFIX` Points to the generated U-Boot extension. For example, ``u-boot.sb`` From patchwork Thu May 11 16:11:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 23827 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E725C77B7C for ; Thu, 11 May 2023 16:12:07 +0000 (UTC) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by mx.groups.io with SMTP id smtpd.web11.769.1683821517531244700 for ; Thu, 11 May 2023 09:11:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=Wc/o5eQn; spf=pass (domain: bootlin.com, ip: 217.70.183.195, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 233646000F; Thu, 11 May 2023 16:11:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1683821515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uKPlsKw6nnh9a+hCF4RGhLmwycpFR89d4wd+JA0yy1A=; b=Wc/o5eQnUiN7frKlwOePD/s5WzMy+JvmR2sJ9LpV/UO1Ytf7PNDJP/BRpJVQArt0BY8ykG DRyYl+j04lgqo1qWdc0jeP05YQliRkdRCiIz+CZyYoEEtlVAsHYMGdzV+qpk3LuSM5NliL 0CBqXYjAAgebXWqaIFFZ4JloMKq1zP46kcAWxxDBQWtLEXrrAN2TeUEMKAeAShco6vjBzc LIHZkG8+puxb+zoqTIBJ72xNbJ7+dsVf9JzlOk7TEtGQowX+ufo7PUxWI188I8Hmy3T+PH /3HHLpfsLw7FW7Q+1UKl1WAMkoI87HL8pYLmH3f2TuJqSThWojbnEsF97Hkyeg== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: Michael Opdenacker , Jamin Lin , Sean Anderson Subject: [PATCH 2/2] ref-manual: document uboot-sign class and variables Date: Thu, 11 May 2023 18:11:40 +0200 Message-Id: <20230511161140.2387483-2-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230511161140.2387483-1-michael.opdenacker@bootlin.com> References: <20230511161140.2387483-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 11 May 2023 16:12:07 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3932 From: Michael Opdenacker Signed-off-by: Michael Opdenacker CC: Jamin Lin CC: Sean Anderson --- documentation/ref-manual/classes.rst | 39 ++++++++ documentation/ref-manual/variables.rst | 121 ++++++++++++++++++++++++- 2 files changed, 155 insertions(+), 5 deletions(-) diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 2f96ffb82f..9a79ec51b4 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -3178,6 +3178,45 @@ You can also specify the machine using this method:: See the :term:`UBOOT_CONFIG` and :term:`UBOOT_MACHINE` variables for additional information. +.. _ref-classes-uboot-sign: + +``uboot-sign`` +============== + +The :ref:`ref-classes-uboot-sign` class provides support for U-Boot verified boot. +It is intended to be inherited from U-Boot recipes. + +Here are variables used by this class: + +- :term:`SPL_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when + building the FIT image. +- :term:`SPL_SIGN_ENABLE`: enable signing the FIT image. +- :term:`SPL_SIGN_KEYDIR`: directory containing the signing keys. +- :term:`SPL_SIGN_KEYNAME`: base filename of the signing keys. +- :term:`UBOOT_FIT_ADDRESS_CELLS`: ``#address-cells`` value for the FIT image. +- :term:`UBOOT_FIT_DESC`: description string encoded into the FIT image. +- :term:`UBOOT_FIT_GENERATE_KEYS`: allows to generate the keys + if they don't exist yet. +- :term:`UBOOT_FIT_HASH_ALG`: hash algorithm for the FIT image. +- :term:`UBOOT_FIT_KEY_GENRSA_ARGS`: ``openssl genrsa`` arguments. +- :term:`UBOOT_FIT_KEY_REQ_ARGS`: ``openssl req`` arguments. +- :term:`UBOOT_FIT_SIGN_ALG`: signature algorithm for the FIT image. +- :term:`UBOOT_FIT_SIGN_NUMBITS`: size of the private key for FIT image + signing. +- :term:`UBOOT_FIT_KEY_SIGN_PKCS`: format for the public key certificate + for FIT image signing. +- :term:`UBOOT_FITIMAGE_ENABLE`: enables the generation of a U-Boot FIT image. +- :term:`UBOOT_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when + rebuilding the FIT image containing the kernel. + +See U-Boot's documentation for details about `verified boot +`__ +and the `signature process +`__. + +See also the description of :ref:`ref-classes-kernel-fitimage` class, which this class +imitates. + .. _ref-classes-uninative: ``uninative`` diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index b7d3c05ce2..b7829ae7af 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -2927,7 +2927,7 @@ system and gives an overview of their function and contents. The default value is set to "1" by the :ref:`ref-classes-kernel-fitimage` class, which corresponds to 32 bit addresses. - For platforms who need to set 64 bit addresses in + For platforms that need to set 64 bit addresses, for example in :term:`UBOOT_LOADADDRESS` and :term:`UBOOT_ENTRYPOINT`, you need to set this value to "2", as two 32 bit values (cells) will be needed to represent such addresses. @@ -7759,6 +7759,32 @@ system and gives an overview of their function and contents. section in the Yocto Project Board Support Package Developer's Guide for additional information. + :term:`SPL_MKIMAGE_DTCOPTS` + Options for the device tree compiler passed to ``mkimage -D`` feature + while creating a FIT image with the :ref:`ref-classes-uboot-sign` + class. If :term:`SPL_MKIMAGE_DTCOPTS` is not set then the + :ref:`ref-classes-uboot-sign` class will not pass the ``-D`` option + to ``mkimage``. + + The default value is set to "" by the :ref:`ref-classes-uboot-config` + class. + + :term:`SPL_SIGN_ENABLE` + Enable signing of the U-Boot FIT image. The default value is "0". + This variable is used by the :ref:`ref-classes-uboot-sign` class. + + :term:`SPL_SIGN_KEYDIR` + Location of the directory containing the RSA key and certificate used for + signing the U-Boot FIT image, used by the :ref:`ref-classes-uboot-sign` + class. + + :term:`SPL_SIGN_KEYNAME` + The name of keys used by the :ref:`ref-classes-kernel-fitimage` class + for signing U-Boot FIT image stored in the :term:`SPL_SIGN_KEYDIR` + directory. If we have for example a ``dev.key`` key and a ``dev.crt`` + certificate stored in the :term:`SPL_SIGN_KEYDIR` directory, you will + have to set :term:`SPL_SIGN_KEYNAME` to ``dev``. + :term:`SRCREV_FORMAT` See :term:`bitbake:SRCREV_FORMAT` in the BitBake manual. @@ -9097,16 +9123,101 @@ system and gives an overview of their function and contents. creation, the :term:`UBOOT_ENTRYPOINT` variable is passed as a command-line parameter to the ``uboot-mkimage`` utility. - To pass a 64 bit address for FIT image creation, you will need to set - the :term:`FIT_ADDRESS_CELLS` variable too. + To pass a 64 bit address for FIT image creation, you will need to set: + - The :term:`FIT_ADDRESS_CELLS` variable for FIT image creation. + - The :term:`UBOOT_FIT_ADDRESS_CELLS` variable for U-Boot FIT image creation. + + This variable is used by the :ref:`ref-classes-kernel-fitimage`, + :ref:`ref-classes-kernel-uimage`, :ref:`ref-classes-kernel`, + :ref:`ref-classes-uboot-config` and :ref:`ref-classes-uboot-sign` + classes. + :term:`UBOOT_FIT_ADDRESS_CELLS` + Specifies the value of the ``#address-cells`` value for the + description of the U-Boot FIT image. + + The default value is set to "1" by the :ref:`ref-classes-uboot-sign` + class, which corresponds to 32 bit addresses. + + For platforms that need to set 64 bit addresses in + :term:`UBOOT_LOADADDRESS` and :term:`UBOOT_ENTRYPOINT`, you need to + set this value to "2", as two 32 bit values (cells) will be needed + to represent such addresses. + + Here is an example setting "0x400000000" as a load address:: + + UBOOT_FIT_ADDRESS_CELLS = "2" + UBOOT_LOADADDRESS= "0x04 0x00000000" + + See `more details about #address-cells `__. + + :term:`UBOOT_FIT_DESC` + Specifies the description string encoded into a U-Boot fitImage. The default + value is set by the :ref:`ref-classes-uboot-sign` class as follows:: + + UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" + + :term:`UBOOT_FIT_GENERATE_KEYS` + Decides whether to generate the keys for signing the U-Boot fitImage if + they don't already exist. The keys are created in :term:`SPL_SIGN_KEYDIR`. + The default value is "0". + + Enable this as follows:: + + UBOOT_FIT_GENERATE_KEYS = "1" + + This variable is used in the :ref:`ref-classes-uboot-sign` class. + + :term:`UBOOT_FIT_HASH_ALG` + Specifies the hash algorithm used in creating the U-Boot FIT Image. + It is set by default to ``sha256`` by the :ref:`ref-classes-uboot-sign` + class. + + :term:`UBOOT_FIT_KEY_GENRSA_ARGS` + Arguments to ``openssl genrsa`` for generating a RSA private key for + signing the U-Boot FIT image. The default value of this variable + is set to "-F4" by the :ref:`ref-classes-uboot-sign` class. + + :term:`UBOOT_FIT_KEY_REQ_ARGS` + Arguments to ``openssl req`` for generating a certificate for signing + the U-Boot FIT image. The default value is "-batch -new" by the + :ref:`ref-classes-uboot-sign` class, "batch" for + non interactive mode and "new" for generating new keys. + + :term:`UBOOT_FIT_KEY_SIGN_PKCS` + Format for the public key certificate used for signing the U-Boot FIT + image. The default value is set to "x509" by the + :ref:`ref-classes-uboot-sign` class. + + :term:`UBOOT_FIT_SIGN_ALG` + Specifies the signature algorithm used in creating the U-Boot FIT Image. + This variable is set by default to "rsa2048" by the + :ref:`ref-classes-uboot-sign` class. + + :term:`UBOOT_FIT_SIGN_NUMBITS` + Size of the private key used in signing the U-Boot FIT image, in number + of bits. The default value for this variable is set to "2048" + by the :ref:`ref-classes-uboot-sign` class. + + :term:`UBOOT_FITIMAGE_ENABLE` + This variable allows to generate a FIT image for U-Boot, which is one + of the ways to implement a verified boot process. + + Its default value is "0", so set it to "1" to enable this functionality:: + + UBOOT_FITIMAGE_ENABLE = "1" + + See the :ref:`ref-classes-uboot-sign` class for details. + :term:`UBOOT_LOADADDRESS` Specifies the load address for the U-Boot image. During U-Boot image creation, the :term:`UBOOT_LOADADDRESS` variable is passed as a command-line parameter to the ``uboot-mkimage`` utility. - To pass a 64 bit address for FIT image creation, you will need to set - the :term:`FIT_ADDRESS_CELLS` variable too. + To pass a 64 bit address, you will also need to set: + + - The :term:`FIT_ADDRESS_CELLS` variable for FIT image creation. + - The :term:`UBOOT_FIT_ADDRESS_CELLS` variable for U-Boot FIT image creation. This variable is used by the :ref:`ref-classes-kernel-fitimage`, :ref:`ref-classes-kernel-uimage`, :ref:`ref-classes-kernel`,