Sign and encrypt other images
Once a device is deployed in the field, new binaries required for booting can be signed and encrypted to boot on the deployed device. This script allows the following artifacts to be signed and encrypted:
- Linux images, both zImages and uImages
- DTBs
- U-Boot bootscripts
- Initramfs
To use the script, follow these steps:
- Configure the signature process using the following environment variables:
- CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. If an empty path is specified, a new PKI tree is generated
CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.
CONFIG_DEK_PATH: (Optional) Path to the data encryption key. If undefined, the images will not be encrypted. If the file does not exist, a random 256-bit file is generated.
The following example sets up the environment to generate signed and encrypted artifacts:
export CONFIG_SIGN_KEYS_PATH="/path/to/keys" export CONFIG_DEK_PATH="/path/to/dek"In a similar way, you can also define these variables in a .config file located in the current path:
.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_DEK_PATH="/path/to/dek"
- Execute the trustfence-sign-kernel.sh script. Usage of the script is as follows:
Usage: trustfence-sign-kernel.sh [OPTIONS] input-unsigned-image output-signed-image
-p <platform> select platform for the project
-d sign/encrypt DTB
-i sign/encrypt initramfs
-l sign/encrypt Linux image
Supported platforms: ccimx6, ccimx6ul
The following example signs and encrypt the zImage for the ConnectCore 6UL:
trustfence-sign-kernel.sh -p ccimx6ul -l zImage zImage-signed
PDF
