| .. SPDX-License-Identifier: GPL-2.0+ |
| |
| Flattened Image Tree (FIT) Format |
| ================================= |
| |
| Introduction |
| ------------ |
| |
| The number of elements playing a role in the kernel booting process has |
| increased over time and now typically includes the devicetree, kernel image and |
| possibly a ramdisk image. Generally, all must be placed in the system memory and |
| booted together. |
| |
| For firmware images a similar process has taken place, with various binaries |
| loaded at different addresses, such as ARM's ATF, OpenSBI, FPGA and U-Boot |
| itself. |
| |
| FIT provides a flexible and extensible format to deal with this complexity. It |
| provides support for multiple components. It also supports multiple |
| configurations, so that the same FIT can be used to boot multiple boards, with |
| some components in common (e.g. kernel) and some specific to that board (e.g. |
| devicetree). |
| |
| Terminology |
| ~~~~~~~~~~~ |
| |
| This document defines FIT by providing FDT (Flat Device Tree) bindings. These |
| describe the final form of the FIT at the moment when it is used. The user |
| perspective may be simpler, as some of the properties (like timestamps and |
| hashes) are filled in automatically by the U-Boot mkimage tool. |
| |
| To avoid confusion with the kernel FDT the following naming convention is used: |
| |
| FIT |
| Flattened Image Tree |
| |
| FIT is formally a flattened devicetree (in the libfdt meaning), which conforms |
| to bindings defined in this document. |
| |
| .its |
| image tree source |
| |
| .itb |
| flattened image tree blob |
| |
| Image-building procedure |
| ~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| The following picture shows how the FIT is prepared. Input consists of |
| image source file (.its) and a set of data files. Image is created with the |
| help of standard U-Boot mkimage tool which in turn uses dtc (device tree |
| compiler) to produce image tree blob (.itb). The resulting .itb file is the |
| actual binary of a new FIT:: |
| |
| tqm5200.its |
| + |
| vmlinux.bin.gz mkimage + dtc xfer to target |
| eldk-4.2-ramdisk --------------> tqm5200.itb --------------> boot |
| tqm5200.dtb /|\ |
| | |
| 'new FIT' |
| |
| Steps: |
| |
| #. Create .its file, automatically filled-in properties are omitted |
| |
| #. Call mkimage tool on a .its file |
| |
| #. mkimage calls dtc to create .itb image and assures that |
| missing properties are added |
| |
| #. .itb (new FIT) is uploaded onto the target and used therein |
| |
| |
| Unique identifiers |
| ~~~~~~~~~~~~~~~~~~ |
| |
| To identify FIT sub-nodes representing images, hashes, configurations (which |
| are defined in the following sections), the "unit name" of the given sub-node |
| is used as it's identifier as it assures uniqueness without additional |
| checking required. |
| |
| |
| External data |
| ~~~~~~~~~~~~~ |
| |
| FIT is normally built initially with image data in the 'data' property of each |
| image node. It is also possible for this data to reside outside the FIT itself. |
| This allows the 'FDT' part of the FIT to be quite small, so that it can be |
| loaded and scanned without loading a large amount of data. Then when an image is |
| needed it can be loaded from an external source. |
| |
| External FITs use 'data-offset' or 'data-position' instead of 'data'. |
| |
| The mkimage tool can convert a FIT to use external data using the `-E` argument, |
| optionally using `-p` to specific a fixed position. |
| |
| It is often desirable to align each image to a block size or cache-line size |
| (e.g. 512 bytes), so that there is no need to copy it to an aligned address when |
| reading the image data. The mkimage tool provides a `-B` argument to support |
| this. |
| |
| Root-node properties |
| -------------------- |
| |
| The root node of the FIT should have the following layout:: |
| |
| / o image-tree |
| |- description = "image description" |
| |- timestamp = <12399321> |
| |- #address-cells = <1> |
| | |
| o images |
| | | |
| | o image-1 {...} |
| | o image-2 {...} |
| | ... |
| | |
| o configurations |
| |- default = "conf-1" |
| | |
| o conf-1 {...} |
| o conf-2 {...} |
| ... |
| |
| Optional property |
| ~~~~~~~~~~~~~~~~~ |
| |
| description |
| Textual description of the FIT |
| |
| Mandatory property |
| ~~~~~~~~~~~~~~~~~~ |
| |
| timestamp |
| Last image modification time being counted in seconds since |
| 1970-01-01 00:00:00 - to be automatically calculated by mkimage tool. |
| |
| Conditionally mandatory property |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| #address-cells |
| Number of 32bit cells required to represent entry and |
| load addresses supplied within sub-image nodes. May be omitted when no |
| entry or load addresses are used. |
| |
| Mandatory nodes |
| ~~~~~~~~~~~~~~~ |
| |
| images |
| This node contains a set of sub-nodes, each of them representing |
| single component sub-image (like kernel, ramdisk, etc.). At least one |
| sub-image is required. |
| |
| configurations |
| Contains a set of available configuration nodes and |
| defines a default configuration. |
| |
| |
| '/images' node |
| -------------- |
| |
| This node is a container node for component sub-image nodes. Each sub-node of |
| the '/images' node should have the following layout:: |
| |
| o image-1 |
| |- description = "component sub-image description" |
| |- data = /incbin/("path/to/data/file.bin") |
| |- type = "sub-image type name" |
| |- arch = "ARCH name" |
| |- os = "OS name" |
| |- compression = "compression name" |
| |- load = <00000000> |
| |- entry = <00000000> |
| | |
| o hash-1 {...} |
| o hash-2 {...} |
| ... |
| |
| Mandatory properties |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| description |
| Textual description of the component sub-image |
| |
| type |
| Name of component sub-image type. Supported types are: |
| |
| ==================== ================== |
| Sub-image type Meaning |
| ==================== ================== |
| invalid Invalid Image |
| aisimage Davinci AIS image |
| atmelimage ATMEL ROM-Boot Image |
| copro Coprocessor Image |
| fdt_legacy legacy Image with Flat Device Tree |
| filesystem Filesystem Image |
| firmware Firmware |
| firmware_ivt Firmware with HABv4 IVT |
| flat_dt Flat Device Tree |
| fpga FPGA Device Image (bitstream file, vendor specific) |
| gpimage TI Keystone SPL Image |
| imx8image NXP i.MX8 Boot Image |
| imx8mimage NXP i.MX8M Boot Image |
| imximage Freescale i.MX Boot Image |
| kernel Kernel Image |
| kernel_noload Kernel Image (no loading done) |
| kwbimage Kirkwood Boot Image |
| lpc32xximage LPC32XX Boot Image |
| mtk_image MediaTek BootROM loadable Image |
| multi Multi-File Image |
| mxsimage Freescale MXS Boot Image |
| omapimage TI OMAP SPL With GP CH |
| pblimage Freescale PBL Boot Image |
| pmmc TI Power Management Micro-Controller Firmware |
| ramdisk RAMDisk Image |
| rkimage Rockchip Boot Image |
| rksd Rockchip SD Boot Image |
| rkspi Rockchip SPI Boot Image |
| script Script |
| socfpgaimage Altera SoCFPGA CV/AV preloader |
| socfpgaimage_v1 Altera SoCFPGA A10 preloader |
| spkgimage Renesas SPKG Image |
| standalone Standalone Program |
| stm32image STMicroelectronics STM32 Image |
| sunxi_egon Allwinner eGON Boot Image |
| sunxi_toc0 Allwinner TOC0 Boot Image |
| tee Trusted Execution Environment Image |
| ublimage Davinci UBL image |
| vybridimage Vybrid Boot Image |
| x86_setup x86 setup.bin |
| zynqimage Xilinx Zynq Boot Image |
| zynqmpbif Xilinx ZynqMP Boot Image (bif) |
| zynqmpimage Xilinx ZynqMP Boot Image |
| ==================== ================== |
| |
| compression |
| Compression used by included data. If no compression is used, the |
| compression property should be set to "none". If the data is compressed but |
| it should not be uncompressed by the loader (e.g. compressed ramdisk), this |
| should also be set to "none". |
| |
| Supported compression types are: |
| |
| ==================== ================== |
| Compression type Meaning |
| ==================== ================== |
| none uncompressed |
| bzip2 bzip2 compressed |
| gzip gzip compressed |
| lz4 lz4 compressed |
| lzma lzma compressed |
| lzo lzo compressed |
| zstd zstd compressed |
| ==================== ================== |
| |
| data-size |
| size of the data in bytes |
| |
| |
| Conditionally mandatory property |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| data |
| Path to the external file which contains this node's binary data. Within |
| the FIT this is the contents of the file. This is mandatory unless |
| external data is used. |
| |
| data-offset |
| Offset of the data in a separate image store. The image store is placed |
| immediately after the last byte of the device tree binary, aligned to a |
| 4-byte boundary. This is mandatory if external data is used, with an offset. |
| |
| data-position |
| Machine address at which the data is to be found. This is a fixed address |
| not relative to the loading of the FIT. This is mandatory if external data |
| used with a fixed address. |
| |
| os |
| OS name, mandatory for types "kernel". Valid OS names are: |
| |
| ==================== ================== |
| OS name Meaning |
| ==================== ================== |
| invalid Invalid OS |
| 4_4bsd 4_4BSD |
| arm-trusted-firmware ARM Trusted Firmware |
| dell Dell |
| efi EFI Firmware |
| esix Esix |
| freebsd FreeBSD |
| integrity INTEGRITY |
| irix Irix |
| linux Linux |
| ncr NCR |
| netbsd NetBSD |
| openbsd OpenBSD |
| openrtos OpenRTOS |
| opensbi RISC-V OpenSBI |
| ose Enea OSE |
| plan9 Plan 9 |
| psos pSOS |
| qnx QNX |
| rtems RTEMS |
| sco SCO |
| solaris Solaris |
| svr4 SVR4 |
| tee Trusted Execution Environment |
| u-boot U-Boot |
| vxworks VxWorks |
| ==================== ================== |
| |
| arch |
| Architecture name, mandatory for types: "standalone", "kernel", |
| "firmware", "ramdisk" and "fdt". Valid architecture names are: |
| |
| ==================== ================== |
| Architecture type Meaning |
| ==================== ================== |
| invalid Invalid ARCH |
| alpha Alpha |
| arc ARC |
| arm64 AArch64 |
| arm ARM |
| avr32 AVR32 |
| blackfin Blackfin |
| ia64 IA64 |
| m68k M68K |
| microblaze MicroBlaze |
| mips64 MIPS 64 Bit |
| mips MIPS |
| nds32 NDS32 |
| nios2 NIOS II |
| or1k OpenRISC 1000 |
| powerpc PowerPC |
| ppc PowerPC |
| riscv RISC-V |
| s390 IBM S390 |
| sandbox Sandbox |
| sh SuperH |
| sparc64 SPARC 64 Bit |
| sparc SPARC |
| x86_64 AMD x86_64 |
| x86 Intel x86 |
| xtensa Xtensa |
| ==================== ================== |
| |
| entry |
| entry point address, address size is determined by |
| '#address-cells' property of the root node. |
| Mandatory for types: "firmware", and "kernel". |
| |
| load |
| load address, address size is determined by '#address-cells' |
| property of the root node. |
| Mandatory for types: "firmware", and "kernel". |
| |
| compatible |
| compatible method for loading image. |
| Mandatory for types: "fpga", and images that do not specify a load address. |
| Supported compatible methods: |
| |
| ========================== ========================================= |
| Compatible string Meaning |
| ========================== ========================================= |
| u-boot,fpga-legacy Generic fpga loading routine. |
| u-boot,zynqmp-fpga-ddrauth Signed non-encrypted FPGA bitstream for |
| Xilinx Zynq UltraScale+ (ZymqMP) device. |
| u-boot,zynqmp-fpga-enc Encrypted FPGA bitstream for Xilinx Zynq |
| UltraScale+ (ZynqMP) device. |
| ========================== ========================================= |
| |
| phase |
| U-Boot phase for which the image is intended. |
| |
| "spl" |
| image is an SPL image |
| |
| "u-boot" |
| image is a U-Boot image |
| |
| Optional nodes: |
| |
| hash-1 |
| Each hash sub-node represents separate hash or checksum |
| calculated for node's data according to specified algorithm. |
| |
| signature-1 |
| Each signature sub-node represents separate signature |
| calculated for node's data according to specified algorithm. |
| |
| |
| Hash nodes |
| ---------- |
| |
| :: |
| |
| o hash-1 |
| |- algo = "hash or checksum algorithm name" |
| |- value = [hash or checksum value] |
| |
| Mandatory properties |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| algo |
| Algorithm name. Supported algoriths and their value sizes are: |
| |
| ==================== ============ ========================================= |
| Sub-image type Size (bytes) Meaning |
| ==================== ============ ========================================= |
| crc16-ccitt 2 Cyclic Redundancy Check 16-bit |
| (Consultative Committee for International |
| Telegraphy and Telephony) |
| crc32 4 Cyclic Redundancy Check 32-bit |
| md5 16 Message Digest 5 (MD5) |
| sha1 20 Secure Hash Algorithm 1 (SHA1) |
| sha256 32 Secure Hash Algorithm 2 (SHA256) |
| sha384 48 Secure Hash Algorithm 2 (SHA384) |
| sha512 64 Secure Hash Algorithm 2 (SHA512) |
| ==================== ============ ========================================= |
| |
| value |
| Actual checksum or hash value. |
| |
| Image-signature nodes |
| --------------------- |
| |
| :: |
| |
| o signature-1 |
| |- algo = "algorithm name" |
| |- key-name-hint = "key name" |
| |- value = [hash or checksum value] |
| |
| |
| Mandatory properties |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| _`FIT Algorithm`: |
| |
| algo |
| Algorithm name. Supported algoriths and their value sizes are shown below. |
| Note that the hash is specified separately from the signing algorithm, so |
| it is possible to mix and match any SHA algorithm with any signing |
| algorithm. The size of the signature relates to the signing algorithm, not |
| the hash, since it is the hash that is signed. |
| |
| ==================== ============ ========================================= |
| Sub-image type Size (bytes) Meaning |
| ==================== ============ ========================================= |
| sha1,rsa2048 256 SHA1 hash signed with 2048-bit |
| Rivest–Shamir–Adleman algorithm |
| sha1,rsa3072 384 SHA1 hash signed with 2048-bit RSA |
| sha1,rsa4096 512 SHA1 hash signed with 2048-bit RSA |
| sha1,ecdsa256 32 SHA1 hash signed with 256-bit Elliptic |
| Curve Digital Signature Algorithm |
| sha256,... |
| sha384,... |
| sha512,... |
| ==================== ============ ========================================= |
| |
| key-name-hint |
| Name of key to use for signing. The keys will normally be in |
| a single directory (parameter -k to mkimage). For a given key <name>, its |
| private key is stored in <name>.key and the certificate is stored in |
| <name>.crt. |
| |
| sign-images |
| A list of images to sign, each being a property of the conf |
| node that contains then. The default is "kernel,fdt" which means that these |
| two images will be looked up in the config and signed if present. This is |
| used by mkimage to determine which images to sign. |
| |
| The following properies are added as part of signing, and are mandatory: |
| |
| value |
| Actual signature value. This is added by mkimage. |
| |
| hashed-nodes |
| A list of nodes which were hashed by the signer. Each is |
| a string - the full path to node. A typical value might be:: |
| |
| hashed-nodes = "/", "/configurations/conf-1", "/images/kernel", |
| "/images/kernel/hash-1", "/images/fdt-1", |
| "/images/fdt-1/hash-1"; |
| |
| hashed-strings |
| The start and size of the string region of the FIT that was hashed. The |
| start is normally 0, indicating the first byte of the string table. The size |
| indicates the number of bytes hashed as part of signing. |
| |
| The following properies are added as part of signing, and are optional: |
| |
| timestamp |
| Time when image was signed (standard Unix time_t format) |
| |
| signer-name |
| Name of the signer (e.g. "mkimage") |
| |
| signer-version |
| Version string of the signer (e.g. "2013.01") |
| |
| comment |
| Additional information about the signer or image |
| |
| padding |
| The padding algorithm, it may be pkcs-1.5 or pss, |
| if no value is provided we assume pkcs-1.5 |
| |
| |
| '/configurations' node |
| ---------------------- |
| |
| The 'configurations' node creates convenient, labeled boot configurations, |
| which combine together kernel images with their ramdisks and fdt blobs. |
| |
| The 'configurations' node has the following structure:: |
| |
| o configurations |
| |- default = "default configuration sub-node unit name" |
| | |
| o config-1 {...} |
| o config-2 {...} |
| ... |
| |
| |
| Optional property |
| ~~~~~~~~~~~~~~~~~ |
| |
| default |
| Selects one of the configuration sub-nodes as a default configuration. |
| |
| Mandatory nodes |
| ~~~~~~~~~~~~~~~ |
| |
| configuration-sub-node-unit-name |
| At least one of the configuration sub-nodes is required. |
| |
| Optional nodes |
| ~~~~~~~~~~~~~~ |
| |
| signature-1 |
| Each signature sub-node represents separate signature |
| calculated for the configuration according to specified algorithm. |
| |
| |
| Configuration nodes |
| ------------------- |
| |
| Each configuration has the following structure:: |
| |
| o config-1 |
| |- description = "configuration description" |
| |- kernel = "kernel sub-node unit name" |
| |- fdt = "fdt sub-node unit-name" [, "fdt overlay sub-node unit-name", ...] |
| |- loadables = "loadables sub-node unit-name" |
| |- script = " |
| |- compatible = "vendor,board-style device tree compatible string" |
| o signature-1 {...} |
| |
| Mandatory properties |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| description |
| Textual configuration description. |
| |
| kernel or firmware |
| Unit name of the corresponding kernel or firmware |
| (u-boot, op-tee, etc) image. If both "kernel" and "firmware" are specified, |
| control is passed to the firmware image. |
| |
| Optional properties |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| fdt |
| Unit name of the corresponding fdt blob (component image node of a |
| "fdt type"). Additional fdt overlay nodes can be supplied which signify |
| that the resulting device tree blob is generated by the first base fdt |
| blob with all subsequent overlays applied. |
| |
| fpga |
| Unit name of the corresponding fpga bitstream blob |
| (component image node of a "fpga type"). |
| |
| loadables |
| Unit name containing a list of additional binaries to be |
| loaded at their given locations. "loadables" is a comma-separated list |
| of strings. U-Boot will load each binary at its given start-address and |
| may optionally invoke additional post-processing steps on this binary based |
| on its component image node type. |
| |
| script |
| The image to use when loading a U-Boot script (for use with the |
| source command). |
| |
| compatible |
| The root compatible string of the U-Boot device tree that |
| this configuration shall automatically match when CONFIG_FIT_BEST_MATCH is |
| enabled. If this property is not provided, the compatible string will be |
| extracted from the fdt blob instead. This is only possible if the fdt is |
| not compressed, so images with compressed fdts that want to use compatible |
| string matching must always provide this property. |
| |
| The FDT blob is required to properly boot FDT based kernel, so the minimal |
| configuration for 2.6 FDT kernel is (kernel, fdt) pair. |
| |
| Older, 2.4 kernel and 2.6 non-FDT kernel do not use FDT blob, in such cases |
| 'struct bd_info' must be passed instead of FDT blob, thus fdt property *must |
| not* be specified in a configuration node. |
| |
| Configuration-signature nodes |
| ----------------------------- |
| |
| :: |
| |
| o signature-1 |
| |- algo = "algorithm name" |
| |- key-name-hint = "key name" |
| |- sign-images = "path1", "path2"; |
| |- value = [hash or checksum value] |
| |- hashed-strings = <0 len> |
| |
| |
| Mandatory properties |
| ~~~~~~~~~~~~~~~~~~~~ |
| |
| algo |
| See `FIT Algorithm`_. |
| |
| key-name-hint |
| Name of key to use for signing. The keys will normally be in |
| a single directory (parameter -k to mkimage). For a given key <name>, its |
| private key is stored in <name>.key and the certificate is stored in |
| <name>.crt. |
| |
| The following properies are added as part of signing, and are mandatory: |
| |
| value |
| Actual signature value. This is added by mkimage. |
| |
| The following properies are added as part of signing, and are optional: |
| |
| timestamp |
| Time when image was signed (standard Unix time_t format) |
| |
| signer-name |
| Name of the signer (e.g. "mkimage") |
| |
| signer-version |
| Version string of the signer (e.g. "2013.01") |
| |
| comment |
| Additional information about the signer or image |
| |
| padding |
| The padding algorithm, it may be pkcs-1.5 or pss, |
| if no value is provided we assume pkcs-1.5 |
| |
| |
| |
| Examples |
| -------- |
| |
| Some example files are available here, showing various scenarios |
| |
| .. toctree:: |
| :maxdepth: 1 |
| |
| kernel |
| kernel_fdt |
| kernel_fdts_compressed |
| multi |
| multi_spl |
| multi-with-fpga |
| multi-with-loadables |
| sec_firmware_ppa |
| sign-configs |
| sign-images |
| uefi |
| update3 |
| update_uboot |
| |
| .. sectionauthor:: Marian Balakowicz <m8@semihalf.com> |
| .. sectionauthor:: External data additions, 25/1/16 Simon Glass <sjg@chromium.org> |