5. Sign the bootloader images

The required artifacts to sign the bootloader images are:

The bootloader signature keys as a PKI tree. Ideally, just one of the four available key to sign the bootloader image from development.

The Code Signing Tool (CST) generates a PKI tree if none is found.
The bootloader images u-boot-ccimx8xsbcpro2GB-<variant>.imx and u-boot-ccimx8xsbcpro2GB-<variant>-trusty.imx.

See 3. Build your images.
The sign tools inside trustfence-tools zip files.

To sign the ConnectCore 8X images, follow these steps:

Install Code Signing Tool (CST)
Get TrustFence tools
Sign bootloader images

1. Install Code Signing Tool (CST)

Digi Embedded for Android uses NXP’s Code Signing Tool (CST) for the High Assurance Boot library when generating secure firmware images.

Download CST 3.3.1 from https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW&location=null.
Decompress the package, for example to your home directory, /home/<user>:
```
$ tar zxvf cst-3.3.1.tgz -C ~
```

Add the directory linux64/bin to your path:

$ export PATH=~/cst-3.3.1/linux64/bin:$PATH

2. Get TrustFence tools

All the required resources to sign a bootloader image are packaged inside a compressed file: trustfence-tools-ccimx8xsbcpro.

The build process generates two different bootloader images and a trustfence-tools zip file for each one in the out/target/product/ccimx8xsbcpro folder of the dea-11.0-r2 directory:

Bootloader image without Trusty

Once signed, the image will be programmed in the device.
1. u-boot-ccimx8xsbcpro2GB-<variant>.imx
2. trustfence-tools-ccimx8xsbcpro.zip
Bootloader image with Trusty

Once signed, the image will be used to boot from USB when programming the bootloader with Trusty. It can also be used to recover a closed device booting from USB.
1. u-boot-ccimx8xsbcpro2GB-<variant>-trusty.imx
2. trustfence-tools-ccimx8xsbcpro-trusty.zip

Decompress the trustfence-tool zip files, for example, to your home, /home/<user>:

$ unzip -q trustfence-tools-ccimx8xsbcpro.zip -d ~
$ unzip -q trustfence-tools-ccimx8xsbcpro-trusty.zip -d ~

3. Sign bootloader images

Follow these steps to sign bootloader images:

Configure the signature process using the following environment variables:
- CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty folder is specified. See Manually create a Public Key Infrastructure tree (PKI tree) to manually generate the PKI tree.
- CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures. See Revoke a bootloader sign key.
- SRK_REVOKE_MASK: (Optional) Bitmask of the revoked SRKs. See Revoke a bootloader sign key.
You can also define these variables in a file .config located inside each trustfence-tools directory:
.config
```
CONFIG_SIGN_KEYS_PATH="/path/to/keys"
CONFIG_KEY_INDEX="3"
```

Sign the bootloader image with Trusty, u-boot-ccimx8xsbcpro2GB-<variant>-trusty.imx:

Enter the trustfence-tools-ccimx8xsbcpro-trusty directory.
```
$ cd ~/trustfence-tools-ccimx8xsbcpro-trusty
```

Copy the bootloader image to sign to the trustfence-tools-ccimx8xsbcpro-trusty directory.

$ cp /usr/local/dea-11.0-r2/out/target/product/ccimx8xsbcpro/u-boot-ccimx8xsbcpro2GB-<variant>-trusty.imx \
  ~/trustfence-tools-ccimx8xsbcpro-trusty/

Execute the trustfence-sign-uboot.sh script from trustfence-tools-ccimx8xsbcpro-trusty directory. The first parameter must be the input image to be signed and the second parameter, the output signed image.

$ PATH=~/trustfence-tools-ccimx8xsbcpro-trusty/bin:$PATH \
  ./trustfence-sign-uboot.sh u-boot-ccimx8xsbcpro2GB-<variant>-trusty.imx \
  u-boot-ccimx8xsbcpro2GB-<variant>-trusty-signed.imx
[...]
Signed image ready: u-boot-ccimx8xsbcpro2GB-<variant>-trusty-signed.imx

Repeat a similar process to sign the bootloader image without Trusty, u-boot-ccimx8xsbcpro2GB-<variant>.imx:

$ cd ~/trustfence-tools-ccimx8xsbcpro
$ cp /usr/local/dea-11.0-r2/out/target/product/ccimx8xsbcpro/u-boot-ccimx8xsbcpro2GB-<variant>.imx \
  ~/trustfence-tools-ccimx8xsbcpro/
$ PATH=~/trustfence-tools-ccimx8xsbcpro/bin:$PATH \
  ./trustfence-sign-uboot.sh u-boot-ccimx8xsbcpro2GB-<variant>.imx \
  u-boot-ccimx8xsbcpro2GB-<variant>-signed.imx
[...]
Signed image ready: u-boot-ccimx8xsbcpro2GB-<variant>-signed.imx

The process generates:

Inside trustfence-tools-ccimx8xsbcpro-trusty:
- The signed bootloader image, u-boot-ccimx8xsbcpro2GB-<variant>-trusty-signed.imx, to be programmed in a closed device. See 6. Program the signed bootloader.
- The SRK_efuses.bin file for the PKI tree used. See 7. Secure the device.
Inside trustfence-tools-ccimx8xsbcpro:
- The signed bootloader image, u-boot-ccimx8xsbcpro2GB-<variant>-signed.imx, to boot from USB a closed device.
The PKI tree inside the configured CONFIG_SIGN_KEYS_PATH.