1. Configure secure boot

To build signed and encrypted artifacts, modify your conf/local.conf file to include the following:

# Required to include trustfence support.
INHERIT += "trustfence"

Image signing is enabled by default. To explicitly disable the generation of signed images, define TRUSTFENCE_SIGN to 0:

TRUSTFENCE_SIGN = "0"

You can also use the following parameters to customize the location of the sensitive keys or to disable the feature:

TRUSTFENCE_SIGN_KEYS_PATH: Path to a folder containing the PKI tree. If the folder does not exist or does not contain a PKI tree, it will be automatically generated. The default value is a new folder trustfence in the Digi Embedded Yocto project home location.
TRUSTFENCE_DEK_PATH: Path to the data encryption key. When provided, it must be a 128-, 192- or 256-bit binary file. Otherwise, a random 256-bit key will be automatically generated. The default value is <TRUSTFENCE_SIGN_KEYS_PATH>/dek.bin. Define to 0 to disable the encryption of the signed images.

# Path to the signature keys and certificates.
TRUSTFENCE_SIGN_KEYS_PATH = "/mnt/secure/PKI_tree"
 
# Path to the Data Encryption Key.
TRUSTFENCE_DEK_PATH = "/mnt/secure/encryption_key.bin"

U-Boot environment encryption

When enabling TrustFence, the U-Boot environment will be encrypted by default using the CAAM and the secure internal unique key.

Note This feature is only supported in closed devices. This setting has no effect on open devices.

To explicitly disable U-Boot environment encryption, set TRUSTFENCE_ENCRYPT_ENVIRONMENT to 0 as follows:

TRUSTFENCE_ENCRYPT_ENVIRONMENT= "0"

CAUTION! When flashing U-Boot without the environment encryption feature in a device with an encrypted environment, all the values will be lost. Be sure to save any important data such as MAC addresses before you execute this procedure.