To maintain a high level of security, strictly limit the number of people who have access to the private keys to sign the device artifacts. In many cases, this means that only specific persons—signers—have access to them, and these individuals may or may not be part of the development team.
TrustFence standalone signing and encryption tools allow you to isolate the signing/encryption processes from firmware image generation. This way, there is no need to secure the entire development environment, only a secure location in which the firmware images get signed and encrypted.
Requirements:
Download and install a pre-built SDK as explained in Install a pre-compiled toolchain.
Sign and encrypt U-Boot images
Authentication of signed boot artifacts is not enabled on the default U-Boot configuration.
You must enable the configuration option conf/local.conf
|
Once the toolchain is installed and sourced, you can follow these steps to sign a U-Boot image:
-
Configure the signature process using the following environment variables:
-
CONFIG_SIGN_KEYS_PATH
: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty folder is specified. -
CONFIG_KEY_INDEX
: (Optional) Default value is 0. Index of the key to use for signatures. -
CONFIG_MKIMAGE_LOG_PATH
: (Optional) Path to themkimage-flash_spl_uboot.log
file. The signing script requires this log to obtain layout information used to sign U-Boot.After you have built the Digi Embedded Yocto firmware, you can find this log file inside the project directory at:
<project_folder>/tmp/deploy/images/ccimx8mn-dvk/imx-boot-tools
. If you do not define this value, the script will look for amkimage.log
file in the directory it is being called from. -
CONFIG_FIT_HAB_LOG_PATH
: (Optional) Path to themkimage-print_fit_hab.log
file. The signing script requires this log to obtain layout information used to sign U-Boot.After you have built the Digi Embedded Yocto firmware, you can find this log file inside the project directory at:
<project_folder>/tmp/deploy/images/ccimx8mn-dvk/imx-boot-tools
. If you do not define this value, the signing script will look for amkimage-print_fit_hab.log
file in the directory it is being called from. -
CONFIG_UNLOCK_SRK_REVOKE
: (Optional) If defined, the signed U-Boot can revoke keys on a closed device. -
ENABLE_ENCRYPTION
: (Optional) If defined, the signed images are encrypted. -
CONFIG_DEK_PATH
: (Mandatory ifENABLE_ENCRYPTION
is defined, otherwise ignored) The path to the data encryption key. If the file does not exist, a random 256-bit file is generated.You can also define these variables in a file
.config
located in the current path:.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_KEY_INDEX="3" # In order to encrypt the images, also add the following: #export ENABLE_ENCRYPTION="y" #export CONFIG_DEK_PATH="/path/to/keys/dek.bin"
-
-
Execute the
trustfence-sign-uboot.sh
script with the input file (U-Boot image to be signed) as the first parameter and the output file (signed and encrypted U-Boot image) as the second parameter:$ trustfence-sign-uboot.sh imx-boot.bin imx-boot-signed.bin Using existing PKI tree Signed image ready: imx-boot-signed.bin
The tool will also generate the SRK_efuses.bin
file for the PKI tree used.
Sign and encrypt other images
The trustfence-sign-artifact.sh
script allows generation of the following signed and encrypted artifacts:
-
Linux images
-
Device tree blobs and overlays
-
U-Boot bootscripts
-
Initramfs
To use the script, follow these steps:
-
Configure the signature process using the following environment variables:
-
CONFIG_SIGN_KEYS_PATH
: (Mandatory) The path to the PKI tree. If an empty path is specified, a new PKI tree is generated -
CONFIG_KEY_INDEX
: (Optional) Default value is 0. Index of the key to use for signatures. -
CONFIG_DEK_PATH
: (Optional) Path to the data encryption key. If undefined, the images will not be encrypted. If the file does not exist, a random 256-bit file is generated.In a similar way, you can also define these variables in a
.config
file located in the current path:.configCONFIG_SIGN_KEYS_PATH="/path/to/keys" CONFIG_DEK_PATH="/path/to/dek"
-
-
Execute the
trustfence-sign-artifact.sh
script. Syntax of the script is as follows:Usage: trustfence-sign-artifact.sh [OPTIONS] input-unsigned-image output-signed-image -p <platform> select platform for the project -b sign/encrypt bootscript -d sign/encrypt DTB -o sign/encrypt DTB overlay -i sign/encrypt initramfs -l sign/encrypt Linux image -r sign read-only rootfs image Supported platforms: ccimx6, ccimx6ul, ccimx8x, ccimx8mn, ccimx8mm
The following example generates a signed and encrypted Image.gz:
$ trustfence-sign-artifact.sh -p ccimx8mn -l Image.gz Image.gz-signed