2. Build your target images
Once TrustFence is enabled and configured in your Digi Embedded Yocto project, you can build your target images as follows:
bitbake dey-image-qt
When the build process finishes, several secure artifacts appear in the deployment directory:
- u-boot-{machine}.imx: These are the default U-Boot images. They are not signed.
- u-boot-signed-{machine}.imx: These are the signed U-Boot images. Like default U-Boot images, they are specific for each variant.
- u-boot-usb-signed-{machine}.imx: These are special signed U-Boot images for USB recovery. They must be used as described in USB boot signed U-Boot images.
- u-boot-encrypted-{machine}.imx: These are signed and encrypted U-Boot images specific for each variant.
- SRK_efuses.bin: This is a file containing the hash of the SRK public keys. It will be required when setting up the device for secure boot.
- A boot.ubifs image containing the following:
- zImage-ccimx6ulsbc.bin: Signed and encrypted Linux kernel image
- DTBs: Signed and encrypted device tree blob (dtb) files for all hardware platforms
- boot.scr: Signed and encrypted U-Boot bootscript
- dey-image-trustfence-initramfs-ccimx6ulsbc.cpio.gz.u-boot.tf: Signed and encrypted initramfs for rootfs encryption
- A recovery.ubifs image containing the following:
- zImage-ccimx6ulsbc.bin: Signed and encrypted Linux kernel image
- DTBs: Signed and encrypted device tree blob (dtb) files for all hardware platforms
- boot.scr: Signed and encrypted U-Boot bootscript
- uramdisk-recovery.img: Signed and encrypted initramfs for recovery
The PKI tree and the encryption key are also generated (when not provided). They are stored at the specified TRUSTFENCE_SIGN_KEYS_PATH location.
The folder will contain the following:
- crts/: directory containing the different certificates used for the signature
- keys/: directory containing the private key associated with each certificate and the passphrase protecting them
- dek.bin: data encryption key used to encrypt the images
The following files need to be securely stored in order to be used in the manufacturing of secure devices:
- SRK e-fuses public keys hash bin file (SRK_efuses.bin)
- PKI tree used to sign the firmware images, including the data encryption key in plain text
PDF
