Packaging an update

Prerequisites

To package an update:

• A manifest.json file has to be prepared, that contains the correct file names and version strings.
• A public/private key pair has to be created.

The public key is embedded by the Image-Developer into the image and allows verification of the signatures created using the private key.

Key generation

The private and public key files are created using the STM32MP1-Keygen tool:

STM32MP1-Keygen Tool

Key creation settings

It is important to run the tool like this: STM32MP_KeyGen_CLI -abs /home/user/KeyFolder/ -pwd <privateKeyPassword> and to choose the prime256v1 elliptic curve.

The <privateKeyPassword> is required to package the update zip file.

Preparation

The zip-File is created by the packager tool.

Store all files together with the manifest.json file and the packager in one directory.

Adjust the manifest.json file, so that it contains the desired version numbers.

Firmware Signing and Packaging Tool - (C) 2023 idastroem GmbH
-------------------------------------------------------------
Usage of ./packager:
  -fortress-key string
    	private key for use with fortress server
  -manifest string
    	manifest file that contains the update files and rules (default "manifest.json")
  -password string
    	password for private key file
  -privKey string
    	private key (default "privateKey.pem")
  -zipfile string
    	output zip file name, file will be overwritten without further notice.

You must specify a valid zipfile name.

Running the packager

Start the packager by running the following command: packager -password <privateKeyPassword> -zipfile update.zip

This creates the zip-file update.zip, which contains the ecdsa signatures for the files listed in manifest.json.

If everything succeeds, the following messages are printed out:

Firmware Signing and Packaging Tool - (C) 2023 idastroem GmbH
-------------------------------------------------------------

loading private key file 'privateKey.pem'
decryption successful

loading manifest file 'manifest.json'
+ adding file 'cc'
+ adding file 'm4.bin'
done.

generating signatures.json
+ hashing file 'm4.bin' (726e02df7affc0726b2ccc97261ba2735455786f59f83b116a60bc99694ae8f9)
+ signature is '3045022044746c0219025828f8ca89a34cd4dacb32be315ac5c8dc28dc98202bdc6f3d84022100ebfa10ee57ef88fcc8f4bfcc7138be5e5f1f356f90eb5975a310a9fd715a
c5f8'
+ verifying signature...  'true'
+ hashing file 'cc' (0f24cf1bb9297d9301f43f54fc8b04cdf2daa24ca875bcb0b2e8735d1df952ad)
+ signature is '3045022100d1a9f180e5265ceb657c15d38808cc0e87169ca980d758b2bf88465cf3565463022078f8ca7ce2c563632eafb3af92b85392d7f15b9b92cf0a8ea93808551636
7c14'
+ verifying signature...  'true'
+ hashing file 'manifest.json' (c78da59e288e6127cd3e88214c6e5e0945fde1d2895e795c826d906c01155131)
+ signature is '3045022001ae60f7afd9df4d63feb4e4aeaa9b1f582aabaa9682791636b0edd9299a8984022100aeb2b7b758136276018b650c7dbe55795bade015e996977d4290e700fd45
eafa'
+ verifying signature...  'true'

creating zip file 'update.zip'
done.

Depending on the chosen delivery method, you can now:

• Copy the update.zip file to an USB stick.
• Upload the update.zip to the fw-update cloud service.