3. Secure Image Generation¶
3.1. List of Keys¶
rsa_hash0.pem |
RSA private key for sign FSBL |
|
loader_ek.key |
AES key for encrypt FSBL |
|
bl_priv.pem |
RSA private key for sign Monitor/u-boot |
|
bl_ek.key |
AES key for encrypt Monitor/u-boot |
3.2. Generate Keys¶
Generate signature private keys rsa_hash0.pem and bl_priv.pem.
* RSA keys use 2048 bits and the 4th fermat number.
host$ openssl genrsa -out rsa_hash0.pem -F4 2048 host$ openssl genrsa -out bl_priv.pem -F4 2048
Generate encryption/decryption keys loader_ek.key and bl_ek.key.
* If signature only without encryption you do not need to generate these keys
* The following uses random numbers to generate the keys
host$ head -c 16 /dev/random > loader_ek.key host$ head -c 16 /dev/random > bl_ek.key
3.3. Sign and Encrypt¶
3.3.1. Generate Image¶
Please refer to <U-boot Porting Development Guide> to generate FIP.bin image.
3.3.2. Sign FIP.bin¶
Note
Precautions
In order to avoid the mass production key being stolen, it is suggested that the mass production key should be kept separately, and the signature tool should be used to sign and encrypt in a secure environment.
Execute the following command to sign the FIP image, fip.bin is the original image, fip_sign.bin is the signed image.
cv_crypt$ ./fipsign.py sign \
--root-priv= rsa_hash0.pem \
--bl-priv=bl_priv.pem \
fip.bin fip_sign.bin
Tool parameters:
cv_crypt$ ./fipsign.py sign
usage: fipsign.py sign [-h] [--root-priv ROOT_PRIV] [--bl-priv BL_PRIV] SRC_FIP DEST_FIP
3.3.3. Sign and encrypt FIP.bin¶
Execute the following command to sign and encrypt the FIP image, fip.bin is the original image, fip_enc.bin is the signed and encrypted image.
cv_crypt$ ./fipsign.py sign-enc \
--root-priv= rsa_hash0.pem \
--bl-priv=bl_priv.pem \
--ldr-ek=loader_ek.key \
--bl-ek=bl_ek.key \
fip.bin fip_enc.bin
Tool parameters:
cv_crypt$ ./fipsign.py sign-enc
usage: fipsign.py sign-enc [-h] [--ldr-ek LDR_EK] [--bl-ek BL_EK] [--root-priv ROOT_PRIV] [--bl-priv BL_PRIV] SRC_FIP DEST_FIP
Note
Encryption is optional, if encryption is required, the FIP.bin needs to be configured when compiling.
CONFIG_FSBL_SECURE_BOOT_SUPPORT = y, configuration method:
host$ source build/envsetup_soc.sh
host$ defconfig xxxxxx
host$ menuconfig –> FIP setting –> select [ ] Add secure boot support to FSBL