FIT image authentication

The Linux kernel boot process involves a number of artifacts that must be placed in memory and booted together. This typically includes:

The Flattened Image Tree (FIT) provides a flexible and extensible format to put all these artifacts in a single file.

The FIT format supports multiple configurations so you can use the same FIT image to boot multiple boards that have a common component (e.g., kernel) but use other artifacts specific to each board (e.g., device tree or overlays). A FIT file also includes hashes to verify the integrity of every artifact. To learn more about the FIT format, see Flattened Image Tree (FIT) Format.

The signature feature allows you to use a private key to sign the hashes of the FIT artifacts. This way, any image or configuration inside the FIT can later be authenticated using the public key.

The public key must reside in a trusted place for FIT image artifacts to be authenticated. Digi Embedded Yocto places the public key in the U-Boot bootloader device tree because that is authenticated against the keys programmed in the OTP bits.

If authentication fails, the target does not boot at all. If it succeeds, the bootloader runs and has the public keys available to authenticate the artifacts in the FIT image. This guarantees the chain of trust.

Digi Embedded Yocto does the following when TrustFence is enabled:

The following diagram explains how Digi Embedded Yocto signs the FIT image:

The following diagram explains how U-Boot authenticates the FIT image during the boot process:

For more information on U-Boot FIT signature verification, see U-Boot FIT Signature Verification.