| David Brown | d2fcc21 | 2017-09-11 14:47:48 -0600 | [diff] [blame] | 1 | # Image tool |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 2 | |
| 3 | The Python program `scripts/imgtool.py` can be used to perform the |
| 4 | operations that are necessary to manage keys and sign images. Using |
| 5 | this script should be preferred to the manual steps described in |
| 6 | `doc/signed_images.md`. |
| 7 | |
| 8 | This program is written for Python3, and has several dependencies on |
| Carles Cufi | f242901 | 2018-01-30 16:45:50 +0100 | [diff] [blame] | 9 | Python libraries. These can be installed using 'pip3': |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 10 | |
| Carles Cufi | f242901 | 2018-01-30 16:45:50 +0100 | [diff] [blame] | 11 | pip3 install --user -r scripts/requirements.txt |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 12 | |
| 13 | ## Managing keys |
| 14 | |
| 15 | This tool currently supports rsa-2048 and ecdsa-p256 keys. You can |
| 16 | generate a keypair for one of these types using the 'keygen' command: |
| 17 | |
| 18 | ./scripts/imgtool.py keygen -k filename.pem -t rsa-2048 |
| 19 | |
| 20 | or use ecdsa-p256 for the type. The key type used should match what |
| 21 | mcuboot is configured to verify. |
| 22 | |
| 23 | This key file is what is used to sign images, this file should be |
| 24 | protected, and not widely distributed. |
| 25 | |
| David Brown | 31d29c8 | 2017-11-21 15:38:56 -0700 | [diff] [blame] | 26 | You can add the `-p` argument to `keygen`, which will cause it to |
| 27 | prompt for a password. You will need to enter this password in every |
| 28 | time you use the private key. |
| 29 | |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 30 | ## Incorporating the public key into the code |
| 31 | |
| 32 | There is a development key distributed with mcuboot that can be used |
| 33 | for testing. Since this private key is widely distributed, it should |
| 34 | never be used for production. Once you have generated a production |
| 35 | key, as described above, you should replace the public key in the |
| 36 | bootloader with the generated one. |
| 37 | |
| 38 | For Zephyr, the keys live in the file `boot/zephyr/keys.c`. For |
| 39 | mynewt, follow the instructions in `doc/signed_images.md` to generate |
| 40 | the key file. |
| 41 | |
| 42 | ./scripts/imgtool.py getpub -k filename.pem |
| 43 | |
| 44 | will extract the public key from the given private key file, and |
| 45 | output it as a C data structure. You can replace or insert this code |
| 46 | into the key file. |
| 47 | |
| 48 | ## Signing images |
| 49 | |
| Carles Cufi | 6168f42 | 2018-03-26 17:55:13 +0200 | [diff] [blame] | 50 | Image signing takes an image in binary or Intel Hex format intended for Slot 0 |
| 51 | and adds a header and trailer that the bootloader is expecting: |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 52 | |
| Fabio Utzig | 5901fd5 | 2018-06-13 11:24:30 -0700 | [diff] [blame] | 53 | Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE |
| 54 | |
| 55 | Create a signed or unsigned image |
| 56 | |
| 57 | Options: |
| 58 | -k, --key filename |
| 59 | --align [1|2|4|8] [required] |
| 60 | -v, --version TEXT [required] |
| 61 | -H, --header-size INTEGER [required] |
| 62 | --pad-header Add `--header-size` zeroed bytes at the beginning |
| 63 | of the image |
| 64 | -S, --slot-size INTEGER Size of the slot where the image will be written |
| 65 | [required] |
| 66 | --pad Pad image to --slot-size bytes, adding trailer |
| 67 | magic |
| 68 | -M, --max-sectors INTEGER When padding allow for this amount of sectors |
| 69 | (defaults to 128) |
| 70 | --overwrite-only Use overwrite-only instead of swap upgrades |
| 71 | -h, --help Show this message and exit. |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 72 | |
| 73 | The main arguments given are the key file generated above, a version |
| 74 | field to place in the header (1.2.3 for example), the alignment of the |
| 75 | flash device in question, and the header size. |
| 76 | |
| 77 | The header size depends on the operating system and the particular |
| 78 | flash device. For Zephyr, it will be configured as part of the build, |
| Fabio Utzig | 5901fd5 | 2018-06-13 11:24:30 -0700 | [diff] [blame] | 79 | and will be a small power of two. By default, the Zephyr build system will |
| 80 | already prepended a zeroed header to the image. If another build system is |
| 81 | in use that does not automatically add this zeroed header, `--pad-header` can |
| Mark Schulte | b88b2c4 | 2018-07-17 07:47:03 -0700 | [diff] [blame^] | 82 | be passed and the `--header-size` will be added by imgtool. If `--pad-header` |
| 83 | is used with an Intel Hex file, `--header-size` bytes will be subtracted from |
| 84 | the load address (in Intel Hex terms, the Extended Linear Address record) to |
| 85 | adjust for the new bytes prepended to the file. The load address of all data |
| 86 | existing in the file should not change. |
| Fabio Utzig | 5901fd5 | 2018-06-13 11:24:30 -0700 | [diff] [blame] | 87 | |
| 88 | The `--slot-size` argument is required and used to check that the firmware |
| 89 | does not overflow into the swap status area (metadata). If swap upgrades are |
| 90 | not being used, `--overwrite-only` can be passed to avoid adding the swap |
| 91 | status area size when calculating overflow. |
| David Brown | e369fec | 2017-06-07 09:35:48 -0600 | [diff] [blame] | 92 | |
| 93 | The optional --pad argument will place a trailer on the image that |
| 94 | indicates that the image should be considered an upgrade. Writing |
| 95 | this image in slot 1 will then cause the bootloader to upgrade to it. |