We distinguish between the following project phases:
-
During development, keys are exposed to the development team. A development environment should not generate production images.
-
In production, final signed images are generated with custom private keys.
-
During manufacturing, signed images and public keys are programmed into the devices.
Development environment
In this phase, developers work with open devices that do not require signed images to boot. Applications and OTA packages can be signed with test keys available in Digi Embedded for Android sources tree during development. See Build your development images.
A development environment is not a secure environment, so it should not have access to final private keys or certificates.
Digi recommends you separate the development and sign process so the private keys are not exposed. A development server can generate the artifacts to be signed externally in a secure environment during the production.
Production environment
This must be a secure environment where final keys are used to sign the artifacts from development. It has access to:
-
The keys to sign the artifacts:
-
Just one of the four available keys to sign the bootloader image from development.
If this key is compromised and revoked, the production environment must be updated with the new key. See Revoke a bootloader sign key for more information.
-
The AVB keys to sign development images. See 1. Generate ABV keys to sign and verify images.
-
The OTA and APK keys for applications in the firmware and the generation of the OTA package. See 2. Generate APK an OTA keys.
-
-
The development built artifacts:
-
The bootloader images to sign and the trustfence-tools zip files with the tools. See 5. Sign the bootloader images.
-
The
ccimx8mmdvk-target_files-<build_id>.zip
generated by a development server to be signed. See 4. Generate release images.
-
A production environment can be set up in one of two ways:
-
The production build server is a secured development server that uses Digi Embedded for Android to build and sign images ready for deployment.
-
The production build server signs images from a development build server in a secure environment.
Manufacturing environment
In any case, the manufacturing facility will be provided with:
-
Signed firmware images from the production server.
-
The
SRK_efuses.bin
generated by the production server. -
A specific RPMB authentication key or generate a random RPMB key.
-
The AVB public key to be programmed in the RPMB secure storage.
The manufacturing facilities need to make sure that the RPMB authentication key is properly protected.