Signing Files (Secure Sku Only) [Linux Build Environment Only] - Intel Quark SoC X1000 User Manual
Board support package bsp, build and software
Hide thumbs
Also See for Quark SoC X1000:
- Developer's manual (311 pages) ,
- Design manual (186 pages) ,
- Software user's manual (54 pages)
Table of Contents
Advertisement
Signing files (secure SKU only) [Linux build environment only]
15
Signing files (secure SKU only)
[Linux build environment only]
This step is optional for most users; it is only needed for booting on a secure SKU.
Dependencies: libssl-dev
All files located by grub require signature files for verification. This includes kernel,
grub.conf, bzImage, and core-image-minimal-initramfs-clanton.cpio.gz.
The SPI Flash Tools package includes the Asset Signing Toolset, an application used
for signing assets for secure boot. Follow the steps below to compile the signing tool,
then sign assets.
For complete details on the Asset Signing Toolset, including all of the command line
options, refer to the Intel
Manual (see
Note: For convenience during development, the software release includes a default Private
Key key.pem file. During development, all assets are signed with the default key that
is stored in the config directory. The default key cannot be used in a production
system; it is not secure due to its inclusion in the release package. Contact your Intel
representative for details.
Open a new terminal session and use the following commands:
After compiling the signing tool, you can sign assets as shown in the following
example:
To create a separate signature file, pass the –c command line option which creates
<input file>.csbh as output in the same directory as the <input file>.
To get a full list of command line options, run the signing tool with no option.
The signature files can be copied onto a USB stick or SD card and must comply with
the following requirements:
Order Number: 329687-007US
®
Appendix
A).
# cd spi-flash-tools
# make asset-signing-tool/sign
# path/to/spi-flash-tools/asset-signing-tool/sign –i <input file>
-s <svn> -x <svn index> -k <key file>
The output for this example is a signed binary file called <input file>.signed in
the same directory as the <input file>.
Each .csbh file must be in the same directory as the corresponding non-signed
file.
grub.conf must be located in the /boot/grub/ directory.
Other files can be placed anywhere as long as grub.conf is configured with their
location.
Quark™ SoC X1000 Secure Boot Programmer's Reference
Intel
®
Quark™ SoC X1000
BSP Build and Software User Guide
33
Advertisement
Table of Contents
