To maintain a high level of security, strictly limit the number of people who have access to the private keys to sign the device artifacts. In many cases, this means that only specific persons—signers—have access to them, and these individuals may or may not be part of the development team.
TrustFence standalone signing and encryption tools allow you to isolate the signing/encryption processes from firmware image generation. This way, there is no need to secure the entire development environment, only a secure location in which the firmware images get signed .
Encryption is not currently supported for the ConnectCore 93. |
Requirements:
Download and install a pre-built SDK as explained in Install a pre-compiled toolchain.
Sign U-Boot images
Authentication of signed boot artifacts is not enabled on the default U-Boot configuration.
You must enable the configuration option conf/local.conf
|
Once the toolchain is installed and sourced, you can follow these steps to sign a U-Boot image:
-
Configure the signature process using the following environment variables:
-
CONFIG_SIGN_KEYS_PATH
: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty folder is specified. -
CONFIG_KEY_INDEX
: (Optional) Default value is 0. Index of the key to use for signatures. -
CONFIG_SIGN_MODE
: (Mandatory) Must be set to "AHAB" -
SRK_REVOKE_MASK
: (Optional) Bitmask of the revoked SRKs.You can also define these variables in a file
.config
located in the current path:.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_KEY_INDEX="3"
-
-
Execute the
trustfence-sign-uboot.sh
script with the input file (U-Boot image to be signed) as the first parameter and the output file (signed U-Boot image) as the second parameter:$ trustfence-sign-uboot.sh imx-boot.bin imx-boot-signed.bin Using existing PKI tree Signed image ready: imx-boot-signed.bin
The tool will also generate the SRK_efuses.bin
file for the PKI tree used.
Sign and encrypt other images
The trustfence-sign-artifact.sh
script allows generation of the following signed and encrypted artifacts:
-
Linux images
-
Device tree blobs and overlays
-
U-Boot bootscripts
-
Initramfs
To use the script, follow these steps:
-
Configure the signature process using the following environment variables:
-
CONFIG_SIGN_KEYS_PATH
: (Mandatory) The path to the PKI tree. If an empty path is specified, a new PKI tree is generated -
CONFIG_KEY_INDEX
: (Optional) Default value is 0. Index of the key to use for signatures. -
CONFIG_DEK_PATH
: (Optional) Path to the data encryption key. If undefined, the images will not be encrypted. If the file does not exist, a random 256-bit file is generated.In a similar way, you can also define these variables in a
.config
file located in the current path:.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_DEK_PATH="/path/to/dek"
-
-
Execute the
trustfence-sign-artifact.sh
script. Syntax of the script is as follows:Usage: trustfence-sign-artifact.sh [OPTIONS] input-unsigned-image output-signed-image -p <platform> select platform for the project -b sign/encrypt bootscript -d sign/encrypt DTB -o sign/encrypt DTB overlay -i sign/encrypt initramfs -l sign/encrypt Linux image -r sign read-only rootfs image Supported platforms: ccimx6, ccimx6ul, ccimx8x, ccimx8mn, ccimx8mm
The following example generates a signed and encrypted Image.gz:
$ trustfence-sign-artifact.sh -p ccimx93 -l Image.gz Image.gz-signed