We distinguish between the following project phases:

  • During development, keys are exposed to the development team. A development environment should not generate production images.

  • In production, final signed images are generated with custom private keys.

  • During manufacturing, signed images and public keys are programmed into the devices.

Development environment

In this phase, developers work with open devices that do not require signed images to boot. Applications and OTA packages can be signed with test keys available in Digi Embedded for Android sources tree during development. See Build your development images.

A development environment is not a secure environment, so it should not have access to final private keys or certificates.

Digi recommends you separate the development and sign process so the private keys are not exposed. A development server can generate the artifacts to be signed externally in a secure environment during the production.

Production environment

This must be a secure environment where final keys are used to sign the artifacts from development. It has access to:

  1. The keys to sign the artifacts:

  2. The development built artifacts:

A production environment can be set up in one of two ways:

  • The production build server is a secured development server that uses Digi Embedded for Android to build and sign images ready for deployment.

  • The production build server signs images from a development build server in a secure environment.

Manufacturing environment

In any case, the manufacturing facility will be provided with:

  1. Signed firmware images from the production server.

  2. The SRK_efuses.bin generated by the production server.

  3. A specific RPMB authentication key or generate a random RPMB key.

    See 8. Initialialize the secure storage for Trusty OS.

  4. The AVB public key to be programmed in the RPMB secure storage.

The manufacturing facilities need to make sure that the RPMB authentication key is properly protected.