From this file, and the referenced kernel Image and device-tree file, an FIT image can be built using u-boot’s mkimage. It is very important to use the version that has been built in the previous step!
mkimage -f kernel_fdt.its fitImage
fitImage is the output file, and seems to be a standard name for these images. At least one target in mainline u-boot uses it (and there are few targets that enable FIT).
To try if it works, put the fitImage into /boot, and use bootm to execute it. Sample for Clearfog (adapt as required):
Now FIT images can still be built like in the previous section, but then they would NOT be signed. Instead, the location of the signing key needs to be passed to mkimage. Here it is assumed that all keys are in a folder called keys, in the current directory:
Look for Sign algo and Sign value fields in the onscreen output. If there is no signature value, something went wrong!
It might make sense to sign the configuration, instead of kernel and dtb. This can prevent a mix-and-match attack in case there are multiple kernels / DTBs / ramdisks available in the image. According to the documentation, a signature for a configuration will also contain signatures for the hashes of all files that are part of the configuration. So signatures are then not required in kernel and fdt sections.
FIT images can also be signed *after* creating them, by using mkimage’s -f and -F options!
Include Public Signing Key in U-Boot
For signature validation to be of any use, the public key has to be available before loading the FIT image. This is why U-Boot expects it in the included DeviceTree file. It is most probably one of arch/arm/dts/*.dts, and compiled into both dts/dt.dtb, and u-boot.dtb. This can be done manually, but mkimage provides a much easier automatic method via its -K parameter:
The -r option tells u-boot which signatures are required to be checked at boot. When it is omitted, u-boot will happily boot any signed, unsigned or wrongly signed images. This option takes two possible values: image and conf. The latter should be used if the configuration section is signed!
Now the changed dtb has to be embedded into the U-Boot SPL. This can easily be achieved by rerunning makeItalic Text, while triple-checking that dts/dt.dtb is not changed by make.
This section was only tested on the Clearfog. Especially the path dts/dt.dtb might be different for other targets.