To Create A Secure Boot Sd/Emmc - Intel Quark SoC X1000 Software User's Manual

15.2

To Create a Secure Boot SD/eMMC

Use files in <Path to BSP/meta-clanton/yocto_build/tmp/deploy/images/quark/ files
located by grub require signature files for verification. This includes kernel,
grub.conf, bzImage, and core-image-minimal-initramfs-quark.cpio.gz.
Open a new terminal session and use the following commands:
# cd spi-flash-tools
# make asset-signing-tool/sign
After compiling the signing tool, you can sign assets as shown in the following example:
# path/to/spi-flash-tools/asset-signing-tool/sign - - i <input
file>
-s <svn> -x <svn index> -k <key file> -c
The output for this example is a signed binary file called <input file>.signed in
the same directory as the <input file> but adding the –c command creates a
signature file, .csbh file.
<Key file> here can point to customer private_key.pem
<svn> and <svn index> can be set to "0" in this instance.
Pass the –c command line option which creates <input file>.csbh as output in the
same directory as the <input file>.
To get a full list of command line options, run the signing tool with no option.
The signature files can be copied onto the boot media and must comply with the
following requirements:
 Each .csbh file must be in the same directory as the corresponding non-signed
file.
 grub.conf must be located in the /boot/grub/ directory.
 Other files can be placed anywhere as long as grub.conf is configured with their
location.
The screenshots below show an example SD card with signature files:

Copy signature files core-image-minimal-initramfs-quark.cpio.gz.csbh
and bzImage.csbh to the root directory.
 Copy grub.cbsh to the /boot/grub/ directory.
May 2017
Document Number: 329687-011US
Intel® Quark™ SoC X1000 Board Support Package (BSP)
Build and Software User Guide
49