Pali Rohár | cdf0d1c | 2022-02-13 01:09:46 +0100 | [diff] [blame] | 1 | .TH MKIMAGE 1 "2022-02-07" |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 2 | |
| 3 | .SH NAME |
| 4 | mkimage \- Generate image for U-Boot |
| 5 | .SH SYNOPSIS |
| 6 | .B mkimage |
Pali Rohár | cdf0d1c | 2022-02-13 01:09:46 +0100 | [diff] [blame] | 7 | .RB [ \-T " \fItype\fP] " \-l " [\fIuimage file name\fP]" |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 8 | |
| 9 | .B mkimage |
| 10 | .RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]" |
| 11 | |
| 12 | .B mkimage |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 13 | .RB [\fIoptions\fP] " \-F [" "uimage file name" "]" |
| 14 | |
| 15 | .B mkimage |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 16 | .RB [\fIoptions\fP] " (legacy mode)" |
| 17 | |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 18 | .SH "DESCRIPTION" |
| 19 | The |
| 20 | .B mkimage |
| 21 | command is used to create images for use with the U-Boot boot loader. |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 22 | These images can contain the linux kernel, device tree blob, root file |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 23 | system image, firmware images etc., either separate or combined. |
| 24 | |
| 25 | .B mkimage |
| 26 | supports two different formats: |
| 27 | |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 28 | The old |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 29 | .I legacy image |
| 30 | format concatenates the individual parts (for example, kernel image, |
| 31 | device tree blob and ramdisk image) and adds a 64 bytes header |
| 32 | containing information about target architecture, operating system, |
| 33 | image type, compression method, entry points, time stamp, checksums, |
| 34 | etc. |
| 35 | |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 36 | The new |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 37 | .I FIT (Flattened Image Tree) format |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 38 | allows for more flexibility in handling images of various types and also |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 39 | enhances integrity protection of images with stronger checksums. It also |
| 40 | supports verified boot. |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 41 | |
| 42 | .SH "OPTIONS" |
| 43 | |
| 44 | .B List image information: |
| 45 | |
| 46 | .TP |
| 47 | .BI "\-l [" "uimage file name" "]" |
| 48 | mkimage lists the information contained in the header of an existing U-Boot image. |
| 49 | |
Pali Rohár | cdf0d1c | 2022-02-13 01:09:46 +0100 | [diff] [blame] | 50 | .TP |
| 51 | .BI "\-T [" "image type" "]" |
| 52 | Parse image file as type. |
| 53 | Pass \-h as the image to see the list of supported image type. |
| 54 | Without this option image type is autodetected. |
| 55 | |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 56 | .TP |
| 57 | .BI "\-q" |
| 58 | Quiet. Don't print the image header on successful verification. |
| 59 | |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 60 | .P |
| 61 | .B Create old legacy image: |
| 62 | |
| 63 | .TP |
| 64 | .BI "\-A [" "architecture" "]" |
Loïc Minier | 775648f | 2011-01-04 02:32:36 +0100 | [diff] [blame] | 65 | Set architecture. Pass \-h as the architecture to see the list of supported architectures. |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 66 | |
| 67 | .TP |
| 68 | .BI "\-O [" "os" "]" |
| 69 | Set operating system. bootm command of u-boot changes boot method by os type. |
Loïc Minier | 775648f | 2011-01-04 02:32:36 +0100 | [diff] [blame] | 70 | Pass \-h as the OS to see the list of supported OS. |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 71 | |
| 72 | .TP |
| 73 | .BI "\-T [" "image type" "]" |
| 74 | Set image type. |
Loïc Minier | 775648f | 2011-01-04 02:32:36 +0100 | [diff] [blame] | 75 | Pass \-h as the image to see the list of supported image type. |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 76 | |
| 77 | .TP |
| 78 | .BI "\-C [" "compression type" "]" |
| 79 | Set compression type. |
Loïc Minier | 775648f | 2011-01-04 02:32:36 +0100 | [diff] [blame] | 80 | Pass \-h as the compression to see the list of supported compression type. |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 81 | |
| 82 | .TP |
Jelle van der Waa | 6c90a7d | 2016-09-14 21:54:53 +0200 | [diff] [blame] | 83 | .BI "\-a [" "load address" "]" |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 84 | Set load address with a hex number. |
| 85 | |
| 86 | .TP |
| 87 | .BI "\-e [" "entry point" "]" |
| 88 | Set entry point with a hex number. |
| 89 | |
| 90 | .TP |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 91 | .BI "\-l" |
| 92 | List the contents of an image. |
| 93 | |
| 94 | .TP |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 95 | .BI "\-n [" "image name" "]" |
| 96 | Set image name to 'image name'. |
| 97 | |
| 98 | .TP |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 99 | .BI "\-R [" "secondary image name" "]" |
| 100 | Some image types support a second image for additional data. For these types, |
| 101 | use \-R to specify this second image. |
Sean Anderson | 021e2db | 2022-05-16 16:11:07 -0400 | [diff] [blame] | 102 | .TS |
| 103 | allbox; |
| 104 | lb lbx |
| 105 | l l. |
| 106 | Image Type Secondary Image Description |
| 107 | pblimage Additional RCW-style header, typically used for PBI commands. |
| 108 | zynqimage, zynqmpimage T{ |
| 109 | Initialization parameters, one per line. Each parameter has the form |
| 110 | .sp |
| 111 | .ti 4 |
| 112 | .I address data |
| 113 | .sp |
| 114 | where |
| 115 | .I address |
| 116 | and |
| 117 | .I data |
| 118 | are hexadecimal integers. The boot ROM will write each |
| 119 | .I data |
| 120 | to |
| 121 | .I address |
| 122 | when loading the image. At most 256 parameters may be specified in this |
| 123 | manner. |
| 124 | T} |
| 125 | .TE |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 126 | |
| 127 | .TP |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 128 | .BI "\-d [" "image data file" "]" |
| 129 | Use image data from 'image data file'. |
| 130 | |
| 131 | .TP |
| 132 | .BI "\-x" |
| 133 | Set XIP (execute in place) flag. |
| 134 | |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 135 | .TP |
| 136 | .BI "\-s" |
Sean Anderson | 021e2db | 2022-05-16 16:11:07 -0400 | [diff] [blame] | 137 | Don't copy in the image data. Depending on the image type, this may create |
| 138 | just the header, everything but the image data, or nothing at all. |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 139 | |
| 140 | .TP |
| 141 | .BI "\-v" |
| 142 | Verbose. Print file names as they are added to the image. |
| 143 | |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 144 | .P |
| 145 | .B Create FIT image: |
| 146 | |
| 147 | .TP |
Andreas Bießmann | f400158 | 2016-05-01 03:01:27 +0200 | [diff] [blame] | 148 | .BI "\-b [" "device tree file" "] |
| 149 | Appends the device tree binary file (.dtb) to the FIT. |
Simon Glass | bd8bc5d | 2016-02-22 22:55:52 -0700 | [diff] [blame] | 150 | |
| 151 | .TP |
Simon Glass | bf27d3d | 2013-06-13 15:10:06 -0700 | [diff] [blame] | 152 | .BI "\-c [" "comment" "]" |
| 153 | Specifies a comment to be added when signing. This is typically a useful |
| 154 | message which describes how the image was signed or some other useful |
| 155 | information. |
| 156 | |
| 157 | .TP |
Horst Kronstorfer | 8878492 | 2011-12-23 05:40:20 +0000 | [diff] [blame] | 158 | .BI "\-D [" "dtc options" "]" |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 159 | Provide special options to the device tree compiler that is used to |
| 160 | create the image. |
| 161 | |
| 162 | .TP |
Simon Glass | afd728c | 2016-02-22 22:55:53 -0700 | [diff] [blame] | 163 | .BI "\-E |
| 164 | After processing, move the image data outside the FIT and store a data offset |
| 165 | in the FIT. Images will be placed one after the other immediately after the |
| 166 | FIT, with each one aligned to a 4-byte boundary. The existing 'data' property |
| 167 | in each image will be replaced with 'data-offset' and 'data-size' properties. |
| 168 | A 'data-offset' of 0 indicates that it starts in the first (4-byte aligned) |
| 169 | byte after the FIT. |
| 170 | |
| 171 | .TP |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 172 | .BI "\-B [" "alignment" "]" |
| 173 | The alignment, in hexadecimal, that external data will be aligned to. This |
| 174 | option only has an effect when \-E is specified. |
| 175 | |
| 176 | .TP |
Simon Glass | 88e31cb | 2016-02-22 22:55:51 -0700 | [diff] [blame] | 177 | .BI "\-f [" "image tree source file" " | " "auto" "]" |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 178 | Image tree source file that describes the structure and contents of the |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 179 | FIT image. |
| 180 | |
Simon Glass | 88e31cb | 2016-02-22 22:55:51 -0700 | [diff] [blame] | 181 | This can be automatically generated for some simple cases. |
| 182 | Use "-f auto" for this. In that case the arguments -d, -A, -O, -T, -C, -a |
| 183 | and -e are used to specify the image to include in the FIT and its attributes. |
| 184 | No .its file is required. |
| 185 | |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 186 | .TP |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 187 | .BI "\-F" |
| 188 | Indicates that an existing FIT image should be modified. No dtc |
Vagrant Cascadian | 6736b8b | 2014-11-01 18:09:01 -0700 | [diff] [blame] | 189 | compilation is performed and the \-f flag should not be given. |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 190 | This can be used to sign images with additional keys after initial image |
| 191 | creation. |
| 192 | |
| 193 | .TP |
Tomeu Vizoso | 8d83ed2 | 2016-11-04 14:22:15 +0100 | [diff] [blame] | 194 | .BI "\-i [" "ramdisk_file" "]" |
| 195 | Appends the ramdisk file to the FIT. |
| 196 | |
| 197 | .TP |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 198 | .BI "\-k [" "key_directory" "]" |
| 199 | Specifies the directory containing keys to use for signing. This directory |
| 200 | should contain a private key file <name>.key for use with signing and a |
| 201 | certificate <name>.crt (containing the public key) for use with verification. |
| 202 | |
Simon Glass | b4d8b09 | 2013-06-13 15:10:04 -0700 | [diff] [blame] | 203 | .TP |
Sean Anderson | 021e2db | 2022-05-16 16:11:07 -0400 | [diff] [blame] | 204 | .BI "\-G [" "key_file" "]" |
| 205 | Specifies the private key file to use when signing. This option may be used |
| 206 | instead of \-k. |
| 207 | |
| 208 | .TP |
Simon Glass | b4d8b09 | 2013-06-13 15:10:04 -0700 | [diff] [blame] | 209 | .BI "\-K [" "key_destination" "]" |
| 210 | Specifies a compiled device tree binary file (typically .dtb) to write |
| 211 | public key information into. When a private key is used to sign an image, |
| 212 | the corresponding public key is written into this file for for run-time |
| 213 | verification. Typically the file here is the device tree binary used by |
| 214 | CONFIG_OF_CONTROL in U-Boot. |
| 215 | |
Simon Glass | 817278a | 2013-06-13 15:10:07 -0700 | [diff] [blame] | 216 | .TP |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 217 | .BI "\-G [" "key_file" "]" |
| 218 | Specifies the private key file to use when signing. This option may be used |
| 219 | instead of \-k. |
| 220 | |
| 221 | .TP |
Sean Anderson | 5f15029 | 2022-05-16 16:11:08 -0400 | [diff] [blame] | 222 | .BI "\-g [" "key_name_hint" "]" |
| 223 | Sets the key-name-hint property when used with \-f auto. This is the <name> |
| 224 | part of the key. The directory part is set by \-k. This option also indicates |
| 225 | that the images included in the FIT should be signed. If this option is |
| 226 | specified, \-o must be specified as well. |
| 227 | |
| 228 | .TP |
Jan Kiszka | 4043f32 | 2022-01-14 10:21:19 +0100 | [diff] [blame] | 229 | .BI "\-o [" "signing algorithm" "]" |
| 230 | Specifies the algorithm to be used for signing a FIT image. The default is |
Jan Kiszka | 61f1fbd | 2022-02-05 13:19:36 +0100 | [diff] [blame] | 231 | taken from the signature node's 'algo' property. |
Jan Kiszka | 4043f32 | 2022-01-14 10:21:19 +0100 | [diff] [blame] | 232 | |
| 233 | .TP |
Teddy Reed | a845762 | 2016-06-09 19:38:02 -0700 | [diff] [blame] | 234 | .BI "\-p [" "external position" "]" |
| 235 | Place external data at a static external position. See \-E. Instead of writing |
| 236 | a 'data-offset' property defining the offset from the end of the FIT, \-p will |
| 237 | use 'data-position' as the absolute position from the base of the FIT. |
| 238 | |
| 239 | .TP |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 240 | .BI "\-r" |
Simon Glass | 817278a | 2013-06-13 15:10:07 -0700 | [diff] [blame] | 241 | Specifies that keys used to sign the FIT are required. This means that they |
| 242 | must be verified for the image to boot. Without this option, the verification |
| 243 | will be optional (useful for testing but not for release). |
| 244 | |
Simon Glass | 472ee0c | 2020-07-09 18:39:43 -0600 | [diff] [blame] | 245 | .TP |
Sean Anderson | 138d271 | 2022-04-08 16:08:39 -0400 | [diff] [blame] | 246 | .BI "\-N [" "engine" "]" |
| 247 | The openssl engine to use when signing and verifying the image. For a complete list of |
| 248 | available engines, refer to |
| 249 | .BR engine (1). |
| 250 | |
| 251 | .TP |
Simon Glass | 472ee0c | 2020-07-09 18:39:43 -0600 | [diff] [blame] | 252 | .BI "\-t |
| 253 | Update the timestamp in the FIT. |
| 254 | |
| 255 | Normally the FIT timestamp is created the first time mkimage is run on a FIT, |
| 256 | when converting the source .its to the binary .fit file. This corresponds to |
| 257 | using the -f flag. But if the original input to mkimage is a binary file |
| 258 | (already compiled) then the timestamp is assumed to have been set previously. |
| 259 | |
Horst Kronstorfer | e6b37cf | 2011-12-21 04:31:23 +0000 | [diff] [blame] | 260 | .SH EXAMPLES |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 261 | |
| 262 | List image information: |
| 263 | .nf |
| 264 | .B mkimage -l uImage |
| 265 | .fi |
| 266 | .P |
| 267 | Create legacy image with compressed PowerPC Linux kernel: |
| 268 | .nf |
| 269 | .B mkimage -A powerpc -O linux -T kernel -C gzip \\\\ |
| 270 | .br |
| 271 | .B -a 0 -e 0 -n Linux -d vmlinux.gz uImage |
| 272 | .fi |
| 273 | .P |
| 274 | Create FIT image with compressed PowerPC Linux kernel: |
| 275 | .nf |
| 276 | .B mkimage -f kernel.its kernel.itb |
| 277 | .fi |
Simon Glass | b4d8b09 | 2013-06-13 15:10:04 -0700 | [diff] [blame] | 278 | .P |
| 279 | Create FIT image with compressed kernel and sign it with keys in the |
| 280 | /public/signing-keys directory. Add corresponding public keys into u-boot.dtb, |
| 281 | skipping those for which keys cannot be found. Also add a comment. |
| 282 | .nf |
| 283 | .B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\ |
Vagrant Cascadian | 6736b8b | 2014-11-01 18:09:01 -0700 | [diff] [blame] | 284 | .br |
Simon Glass | 1c57023 | 2016-02-22 22:55:49 -0700 | [diff] [blame] | 285 | .B -c """Kernel 3.8 image for production devices""" kernel.itb |
Simon Glass | b4d8b09 | 2013-06-13 15:10:04 -0700 | [diff] [blame] | 286 | .fi |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 287 | |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 288 | .P |
Sean Anderson | 5f15029 | 2022-05-16 16:11:08 -0400 | [diff] [blame] | 289 | Add public keys to u-boot.dtb without needing a FIT to sign. This will also |
| 290 | create a FIT containing an images node with no data named unused.itb. |
| 291 | .nf |
| 292 | .B mkimage -f auto -d /dev/null -k /public/signing-keys -g dev \\\\ |
| 293 | .br |
| 294 | .B -o sha256,rsa2048 -K u-boot.dtb unused.itb |
| 295 | .fi |
| 296 | |
| 297 | .P |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 298 | Update an existing FIT image, signing it with additional keys. |
| 299 | Add corresponding public keys into u-boot.dtb. This will resign all images |
| 300 | with keys that are available in the new directory. Images that request signing |
| 301 | with unavailable keys are skipped. |
| 302 | .nf |
| 303 | .B mkimage -F -k /secret/signing-keys -K u-boot.dtb \\\\ |
Vagrant Cascadian | 6736b8b | 2014-11-01 18:09:01 -0700 | [diff] [blame] | 304 | .br |
Simon Glass | 1c57023 | 2016-02-22 22:55:49 -0700 | [diff] [blame] | 305 | .B -c """Kernel 3.8 image for production devices""" kernel.itb |
Simon Glass | ce8c3ca | 2013-06-13 15:10:05 -0700 | [diff] [blame] | 306 | .fi |
| 307 | |
Simon Glass | 88e31cb | 2016-02-22 22:55:51 -0700 | [diff] [blame] | 308 | .P |
| 309 | Create a FIT image containing a kernel, using automatic mode. No .its file |
| 310 | is required. |
| 311 | .nf |
| 312 | .B mkimage -f auto -A arm -O linux -T kernel -C none -a 43e00000 -e 0 \\\\ |
| 313 | .br |
| 314 | .B -c """Kernel 4.4 image for production devices""" -d vmlinuz kernel.itb |
| 315 | .fi |
Simon Glass | bd8bc5d | 2016-02-22 22:55:52 -0700 | [diff] [blame] | 316 | .P |
| 317 | Create a FIT image containing a kernel and some device tree files, using |
| 318 | automatic mode. No .its file is required. |
| 319 | .nf |
| 320 | .B mkimage -f auto -A arm -O linux -T kernel -C none -a 43e00000 -e 0 \\\\ |
| 321 | .br |
| 322 | .B -c """Kernel 4.4 image for production devices""" -d vmlinuz \\\\ |
Andreas Bießmann | f400158 | 2016-05-01 03:01:27 +0200 | [diff] [blame] | 323 | .B -b /path/to/rk3288-firefly.dtb -b /path/to/rk3288-jerry.dtb kernel.itb |
Simon Glass | bd8bc5d | 2016-02-22 22:55:52 -0700 | [diff] [blame] | 324 | .fi |
Sean Anderson | 5f15029 | 2022-05-16 16:11:08 -0400 | [diff] [blame] | 325 | .P |
| 326 | Create a FIT image containing a signed kernel, using automatic mode. No .its |
| 327 | file is required. |
| 328 | .nf |
| 329 | .B mkimage -f auto -A arm -O linux -T kernel -C none -a 43e00000 -e 0 \\\\ |
| 330 | .br |
| 331 | .B -d vmlinuz -k /secret/signing-keys -g dev -o sha256,rsa2048 kernel.itb |
| 332 | .fi |
Simon Glass | 88e31cb | 2016-02-22 22:55:51 -0700 | [diff] [blame] | 333 | |
Nobuhiro Iwamatsu | 9711cf6 | 2010-06-16 10:38:24 +0900 | [diff] [blame] | 334 | .SH HOMEPAGE |
| 335 | http://www.denx.de/wiki/U-Boot/WebHome |
| 336 | .PP |
| 337 | .SH AUTHOR |
| 338 | This manual page was written by Nobuhiro Iwamatsu <iwamatsu@nigauri.org> |
Simon Glass | b148974 | 2013-06-13 15:10:03 -0700 | [diff] [blame] | 339 | and Wolfgang Denk <wd@denx.de>. It was updated for image signing by |
| 340 | Simon Glass <sjg@chromium.org>. |