The required artifacts to sign the bootloader images are:

  1. The bootloader signature keys as a PKI tree. Ideally, just one of the four available key to sign the bootloader image from development.

    The Code Signing Tool (CST) generates a PKI tree if none is found.

  2. The bootloader images u-boot-ccimx8mmdvk.imx and u-boot-ccimx8mmdvk-trusty.imx.

  3. The sign tools inside trustfence-tools zip files.

To sign the ConnectCore 8M Mini images, follow these steps:

1. Install Code Signing Tool (CST)

Digi Embedded for Android uses NXP’s Code Signing Tool (CST) for the High Assurance Boot library when generating secure firmware images.

  1. Download CST 3.3.1 from

  2. Decompress the package, for example to your home directory, /home/<user>:

    $ tar zxvf cst-3.3.1.tgz -C ~
  3. Add the directory linux64/bin to your path:

    $ export PATH=~/cst-3.3.1/linux64/bin:$PATH

2. Get TrustFence tools

All the required resources to sign a bootloader image are packaged inside a compressed file: trustfence-tools-ccimx8mmdvk.

The build process generates two different bootloader images and a trustfence-tools zip file for each one in the out/target/product/ccimx8mmdvk folder of the dea-11.0-r2 directory:

  1. Bootloader image without Trusty

    Once signed, the image will be programmed in the device.

    1. u-boot-ccimx8mmdvk.imx


  2. Bootloader image with Trusty

    Once signed, the image will be used to boot from USB when programming the bootloader with Trusty. It can also be used to recover a closed device booting from USB.

    1. u-boot-ccimx8mmdvk-trusty.imx


Decompress the trustfence-tool zip files, for example, to your home, /home/<user>:

$ unzip -q -d ~
$ unzip -q -d ~

3. Sign bootloader images

Follow these steps to sign bootloader images:

  1. Configure the signature process using the following environment variables:

    You can also define these variables in a file .config located inside each trustfence-tools directory:

  2. Sign the bootloader image with Trusty, u-boot-ccimx8mmdvk-trusty.imx:

    1. Enter the trustfence-tools-ccimx8mmdvk-trusty directory.

      $ cd ~/trustfence-tools-ccimx8mmdvk-trusty
    2. Copy the bootloader image to sign to the trustfence-tools-ccimx8mmdvk-trusty directory.

      $ cp /usr/local/dea-11.0-r2/out/target/product/ccimx8mmdvk/u-boot-ccimx8mmdvk-trusty.imx \
    3. Execute the script from trustfence-tools-ccimx8mmdvk-trusty directory. The first parameter must be the input image to be signed and the second parameter, the output signed image.

      $ PATH=~/trustfence-tools-ccimx8mmdvk-trusty/bin:$PATH \
        ./ u-boot-ccimx8mmdvk-trusty.imx \
      Signed image ready: u-boot-ccimx8mmdvk-trusty-signed.imx
  3. Repeat a similar process to sign the bootloader image without Trusty, u-boot-ccimx8mmdvk.imx:

    $ cd ~/trustfence-tools-ccimx8mmdvk
    $ cp /usr/local/dea-11.0-r2/out/target/product/ccimx8mmdvk/u-boot-ccimx8mmdvk.imx \
    $ PATH=~/trustfence-tools-ccimx8mmdvk/bin:$PATH \
      ./ u-boot-ccimx8mmdvk.imx \
    Signed image ready: u-boot-ccimx8mmdvk-signed.imx

The process generates:

  • Inside trustfence-tools-ccimx8mmdvk-trusty:

  • Inside trustfence-tools-ccimx8mmdvk:

    • The signed bootloader image, u-boot-ccimx8mmdvk-signed.imx, to boot from USB a closed device.

  • The PKI tree inside the configured CONFIG_SIGN_KEYS_PATH.