1. Generate ABV keys to sign and verify images

The build system signs the VBMeta struct in VBMeta image with the AVB private key and stores one copy of the public key in the signed VBMeta image. During AVB verification, U-Boot validates the public key first, and then uses the public key to authenticate the signed VBMeta image.

There is another pair of asymmetric keys (AVB boot keys) to sign the VBMeta struct in the boot image, which would be built as chained partition. For more information about chained partitions, see Android Verified Boot 2.0.

Custom keys should be used for production. To generate and configure your keys, follow these steps:

Generate custom AVB keys
Generate custom AVB boot keys
Sign with your AVB keys

You are responsible for storing and protecting the private keys. Loss of the private keys will result in not being able to sign artifacts with the affected keys.

1. Generate custom AVB keys

A pair of asymmetric keys, AVB keys, are used to sign the VBMeta struct in the VBMeta image:

Generate the private key with OpenSSL. For example, to generate a RSA-4096 private key called custom_rsa4096_private.pem:

$ openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_bits:4096 \
  -outform PEM \
  -out custom_rsa4096_private.pem

Extract the corresponding public key from the private key. Use avbtool located at /usr/local/dea-11.0-r2/external/avb.
```
$ /usr/local/dea-11.0-r2/external/avb/avbtool extract_public_key \
  --key custom_rsa4096_private.pem \
  --output custom_rsa4096_public.bin
```
SHA256_RSA4096 and SHA256_RSA2048 are recommended algorithms to sign the images. Cryptographic Acceleration and Assurance Module (CAAM) of ConnectCore 8X can help accelerate the hash calculation.

2. Generate custom AVB boot keys

The boot image is built as a chained partition and the VBMeta struct in boot image is signed by a pair of asymmetric keys, AVB boot keys.

To generate the private key with OpenSSL, for example, a RSA-2048 private key called custom_rsa2048_private.pem, execute:

$ openssl genpkey -algorithm RSA \
  -pkeyopt rsa_keygen_bits:2048 \
  -outform PEM \
  -out custom_rsa2048_private.pem

SHA256_RSA4096 and SHA256_RSA2048 are recommended algorithms to sign the images for ConnectCore 8X, whose CAAM can help accelerate the hash calculation.

3. Sign with your AVB keys

To use your keys to sign the images for production you can:

Sign development images with your custom keys
Configure the build system to use your keys

Sign development images with your custom keys

Build using test/development keys and sign the resulting images with your custom keys in a secure production environment.

See 4. Generate release images.

Configure the build system to use your keys

Set AVB key.
Set BOARD_AVB_ALGORITHM and BOARD_AVB_KEY_PATH defined at device/digi/imx8q/ccimx8xsbcpro/BoardConfig.mk:
BOARD_AVB_ALGORITHM := SHA256_RSA4096 BOARD_AVB_KEY_PATH := ${your-key-directory}/custom_rsa4096_private.pem
By default, the build system uses the algorithm SHA256_RSA4096 and the private AVB key device/digi/common/security/testkey_rsa4096.pem to sign the VBMeta struct in VBMeta image.

Its corresponding public key is device/digi/common/security/testkey_public_rsa4096.bin.
Set AVB boot key to sign the boot image.
Configure BOARD_AVB_BOOT_ALGORITHM and BOARD_AVB_BOOT_KEY_PATH defined at device/digi/imx8q/ccimx8xsbcpro/BoardConfig.mk:
BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA2048 BOARD_AVB_BOOT_KEY_PATH := ${your-key-directory}/custom_rsa2048_private.pem
By default, the build system uses the algorithm SHA256_RSA2048 and the private AVB boot key external/avb/test/data/testkey_rsa2048.pem to sign the boot image.