Flattened Image Tree (FIT) overview
The Linux kernel boot process involves a number of artifacts that must be placed in memory and booted together. This typically includes:
-
the kernel image
-
a device tree
-
optionally, device tree overlays
-
optionally, a ramdisk rootfs
The Flattened Image Tree (FIT) provides a flexible and extensible format to put all these artifacts in a single file.
The FIT format supports multiple configurations so you can use the same FIT image to boot multiple boards that have a common component (e.g., kernel) but use other artifacts specific to each board (e.g., device tree or overlays). A FIT file also includes hashes to verify the integrity of every artifact. To learn more about the FIT format, see Flattened Image Tree (FIT) Format.
FIT image signing
The signature feature allows you to use a private key to sign the hashes of the FIT artifacts. This way, any image or configuration inside the FIT can later be authenticated using the public key.
The public key must reside in a trusted place for FIT image artifacts to be authenticated. Digi Embedded Yocto places the public key in the U-Boot bootloader device tree because that is authenticated against the keys programmed in the OTP bits.
If authentication fails, the target does not boot at all. If it succeeds, the bootloader runs and has the public keys available to authenticate the artifacts in the FIT image. This guarantees the chain of trust.
Digi Embedded Yocto does the following when TrustFence is enabled:
-
Generates the FIT sign keys (if they don’t exist).
-
Generates a FIT image with the kernel, base device tree, device tree overlays, and U-Boot boot script.
-
Signs the FIT image hashes with the private keys.
-
Inserts the FIT public keys inside the U-Boot device tree.
-
Signs the FIP image (containing U-Boot + OP-TEE) with TrustFence keys.
-
Generates a file
*.boot.ubifs
that contains the FIT image.
The following diagram explains how Digi Embedded Yocto signs the FIT image:
The following diagram explains how U-Boot authenticates the FIT image during the boot process:
For more information on U-Boot FIT signature verification, see U-Boot FIT Signature Verification.