AVB checks the signature and the AVB public key when verifying the VBMeta image. The AVB public key must be stored to the TEE (Trusted Execution Environment)-backed RPMB when Trusty is enabled. Perform the following steps to set the AVB public key:
-
Enter U-Boot fastboot mode:
=> fastboot 1
-
Execute the following commands:
$ fastboot stage ${your-key-directory}/custom_rsa4096_public.bin $ fastboot oem set-public-key
custom_rsa4096_public.bin
is the public AVB key extracted from the AVB private key (see 1. Generate ABV keys to sign and verify images).If you use the default AVB keys for debug purpose, flash the default public key with the following commands:
$ fastboot stage /usr/local/dea-11.0-r2/device/digi/common/security/testkey_public_rsa4096.bin $ fastboot oem set-public-key