To maintain a high level of security, strictly limit the number of people who have access to the private keys to sign the device artifacts. In many cases, this means that only specific persons—signers—have access to them, and these individuals may or may not be part of the development team.

TrustFence standalone signing tools allow you to isolate the signing processes from firmware image generation. This way, there is no need to secure the entire development environment, only a secure location in which the firmware images get signed.

Requirements:

  1. Enable Trustfence in your Yocto project by adding the following line to your local.conf file:

    INHERIT += "trustfence"

  2. Use that project to generate an SDK.

    ~$ bitbake -c populate_sdk dey-image-qt

  3. Install the generated SDK and source it.

    ~$ <YOCTO_PROJECT_FOLDER>/tmp/deploy/sdk/dey-glibc-x86_64-dey-image-qt-xwayland-aarch64-toolchain-2.6-r3.sh
~$ source <SDK_INSTALLATION_PATH>/environment-setup-aarch64-dey-linux

Sign and encrypt U-Boot images

Encryption is not currently supported for the ConnectCore 8X.

Once the toolchain is installed and sourced, you can follow these steps to sign a U-Boot image:

  1. Configure the signature process using the following environment variables:

    • CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty folder is specified.

    • CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.

      You can also define these variables in a file .config located in the current path:

      .config
      CONFIG_SIGN_KEYS_PATH="/path/to/keys"
CONFIG_KEY_INDEX="3"

  2. Execute the trustfence-sign-uboot.sh script with the input file (U-Boot image to be signed) as the first parameter and the output file (signed U-Boot image) as the second parameter:

    ~$ trustfence-sign-uboot.sh u-boot.imx u-boot-signed.imx
Using existing PKI tree
Signed image ready: u-boot-signed.imx

The tool will also generate the SRK_efuses.bin file for the PKI tree used.

Sign and encrypt other images

Encryption is not currently supported for the ConnectCore 8X.

The trustfence-sign-kernel.sh script allows the following artifacts to be signed and encrypted:

  • Linux images

  • DTBs

  • U-Boot bootscripts

  • Initramfs

To use the script, follow these steps:

  1. Configure the signature process using the following environment variables:

    • CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. If an empty path is specified, a new PKI tree is generated

    • CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.

      In a similar way, you can also define these variables in a .config file located in the current path:

      .config
      CONFIG_SIGN_KEYS_PATH="/path/to/keys"

  2. Execute the trustfence-sign-kernel.sh script. Usage of the script is as follows:

    Usage: trustfence-sign-kernel.sh [OPTIONS] input-unsigned-image output-signed-image

    -p <platform>    select platform for the project
    -b               sign/encrypt bootscript
    -d               sign/encrypt DTB
    -i               sign/encrypt initramfs
    -l               sign/encrypt Linux image

Supported platforms: ccimx6, ccimx6ul, ccimx8x

    The following example signs and encrypts the Image.gz:

    trustfence-sign-kernel.sh -p ccimx8x -l Image.gz-signed