[yocto] uBoot, kernel and device tree files

Srinivasan, Raja rsrinivasan at abiomed.com
Thu Aug 9 06:13:12 PDT 2018 

Appreciate the suggestions. I will try them out. thanks, srini

-----Original Message-----
From: Michal Vokáč [mailto:michal.vokac at ysoft.com]
Sent: Thursday, August 9, 2018 4:41 AM
To: Srinivasan, Raja <rsrinivasan at abiomed.com>
Cc: yocto at yoctoproject.org
Subject: Re: [yocto] uBoot, kernel and device tree files

Hi Srini,

On 8.8.2018 20:51, Srinivasan, Raja wrote:
> All
>
> We are using rocko.on variscite var-som-mx6.
>
> In order to increase the security of our system (during a system upgrade), we are looking to merge uImage (kernel image) and the device tree file into 1 file. Currently these are 2 different files and are worried that a file copy operation might get aborted.

I understand that what you want to achive by combining the files is "relyability" and not "security". Those are totaly different things.

> My research so far indicates mkuboot can be used to merge these. but having trouble making this work.
>
> Need some ideas.
>
> Any pointers appreciated. srini

I am aware of at least two options to combine kernel images and device tree files.

Option 1) Append DTB directly to the kernel image

This is the simplest option. Just use cat to concatenate the files and enable the CONFIG_ARM_APPENDED_DTB kernel option.
Read the help for the option, it is quite informative.

In this case you do not need to change anything in your boot loader.
Just load and boot the combined image as usual and kernel will do the rest.

Option 2) Use FIT images

I strongly recommend this option over the first one.
FIT images are something like containers that can contain multiple kernel images, multiple device tree blobs, multiple initram file systems.
Part of the FIT image then describes what combinations of those files can be used to boot.

If your concern is not just reliability but also security than FIT images are also better. You can put hashes/signatures of all the files into the description of the files and use the hashes in the bootloader to verify the images (I never used that.)

In this option you need to change your boot command.

Hope this helps,
Michal


________________________________

CONFIDENTIALITY NOTICE: This email message and any attachments are confidential and may be privileged and are meant to be read by the intended recipient only. If you are not the intended recipient, please notify sender immediately and destroy all copies of this message and any attachments without reading or disclosing their contents. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20180809/2c201cbb/attachment-0001.html>

More information about the yocto mailing list