Sign and encrypt U-Boot images
Once a device is deployed on the field, follow these steps to sign and encrypt a new U-Boot image to boot on the deployed device:
- Configure the signature process using the following environment variables:
- CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty path is specified.
- CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.
- NO_DCD: (Optional) Remove device configuration data from the signed images. This produces a signed U-Boot image able to boot via USB. See Recover your device.
- CONFIG_UNLOCK_SRK_REVOKE: (Optional) If defined, the signed U-Boot can revoke keys on a closed device.
- ENABLE_ENCRYPTION: (Optional) If defined, the signed images are encrypted.
- CONFIG_DEK_PATH: (Mandatory if ENABLE_ENCRYPTION is defined, otherwise ignored) The path to the data encryption key. If the file does not exist, a random 256-bit file is generated.
The following example sets up the environment to generate signed U-Boot images with key index 3:
export CONFIG_SIGN_KEYS_PATH="/path/to/keys" export CONFIG_KEY_INDEX="3" # In order to encrypt the images, export the following: #export ENABLE_ENCRYPTION="y" #export CONFIG_DEK_PATH="/path/to/keys/dek.bin"
You can also define these variables in a file .config located in the current path:
.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_KEY_INDEX="3" # In order to encrypt the images, also add the following: #export ENABLE_ENCRYPTION="y" #export CONFIG_DEK_PATH="/path/to/keys/dek.bin"
- Execute the trustfence-sign-uboot.sh script with the input file (U-Boot image to be signed) as the first parameter and the output file (signed and possibly encrypted U-Boot image) as the second parameter:
user:~/standalone-sign$ trustfence-sign-uboot.sh u-boot.imx u-boot-signed.imx Using existing PKI tree Signed image ready: u-boot-signed.imx
The tool will also generate the SRK_efuses.bin file for the PKI tree used.
PDF
