| Image Manipulation Tool |
| ####################### |
| |
| Introduction |
| ============ |
| |
| The *mcuboot* bootloader began as the bootloader for the Mynewt_ |
| project. This project's *newt* tool, in addition to configuration and |
| compilation, also contains code to manipulate image headers and apply |
| signatures. |
| |
| .. _Mynewt: https://mynewt.apache.org/ |
| |
| In order to use *mcuboot* with other OSes (starting with Zephyr), we |
| need a tool that doesn't depend on being run inside of a *Mynewt* |
| project. This ``imgtool`` command is a small program that uses the |
| *newt* tool's library as a small image manipulation tool |
| |
| Building It |
| =========== |
| |
| The *newt* tool is written in Go_, and as such, this imgtool is also. |
| In order to build from source, you will need the Go toolchain |
| installed. On most distributions, this can be accomplished by |
| installing a ``go`` or ``golang`` package. The tool is driven by a |
| program ``go``, and:: |
| |
| $ go version |
| |
| .. _Go: https://golang.org/ |
| |
| should print out the version installed. |
| |
| Go prefers a fairly specific source tree layout, and it is easiest to |
| work with if you keep this layout. To do this, you will need a |
| directory to hold your go source. Once you've created this, the |
| environment variable ``GOPATH`` needs to be set to point to this |
| directory. Once this is done, you can get this code, and its |
| necessary dependencies by running:: |
| |
| $ go get github.com/runtimeco/mcuboot/imgtool |
| |
| and the package can be built with:: |
| |
| $ go install github.com/runtimeco/mcuboot/imgtool |
| |
| This will place the build tool in ``$GOPATH/bin/imgtool``. Feel free |
| to either place this directory in your path, or move the image to |
| somewhere in your path. |
| |
| Usage |
| ===== |
| |
| Run ``imgtool`` either with no arguments, or with ``help`` to get more |
| help. The tool is capable of generating the signing keys needed for |
| the bootloader, extracting the public key to embed in the image, and |
| signing images. |
| |
| Generating keys |
| --------------- |
| |
| Keys are generated with the ``keygen`` subcommand. The ``-k`` option |
| allows you to specify a different file for the resulting key. The key |
| is stored in *PEM* format. |
| |
| You must specify a ``--key-type`` parameter. Current valid entries |
| are: |
| |
| .. list-table:: Key types |
| :header-rows: 1 |
| |
| * - Parameter |
| - Description |
| * - ecdsa-p224 |
| - ECDSA with SHA256 and NIST P-224 (secp224r1) |
| * - ecdsa-p256 |
| - ECDSA with SHA256 and NIST P-256 (secp256r1) |
| |
| Extracting the public key |
| ------------------------- |
| |
| In order to use a key other than the key distributed in the Zephyr |
| directory, it needs to be extracted from the private key. The |
| ``getpub`` subcommand does this. The ``-k`` option can be used to |
| specify a keyfile. The program will then output the public key to |
| stdout. This should be written to a ``.cc`` file and included in the |
| build. For Zephyr builds, this is in the file ``boot/zephyr/keys.c`` |
| in the main tree. |
| |
| Signing images |
| -------------- |
| |
| In order for the bootloader to be able to upgrade an image, it must |
| have a header prefixed to it, and a signature placed at the end. The |
| ``sign`` subcommand can perform these operations. |
| |
| In order to use Zephyr images, you must set CONFIG_TEXT_SECTION_OFFSET |
| in the main Zephyr program you want to build. The exact value depends |
| on the particular target. The FRDM-K64F, 0x200 should be used. |
| |
| The ``sign`` command needs to be told this header offset as well, with |
| the ``--header-size 0x200`` argument. |
| |
| The ``sign`` command is also able to mark images for upgrade. This is |
| done with the ``--pad``, and ``--align`` arguments. The pad should be |
| set to the size of the image slot (in bytes), and the alignment needs |
| to be set to the write alignment of the flash device. For FRDM-K64F, |
| the alignment is 8. |