To maintain a high level of security, strictly limit the number of people who have access to the private keys to sign the device artifacts. In many cases, this means that only specific persons—signers—have access to them, and these individuals may or may not be part of the development team.

TrustFence standalone signing and encryption tools allow you to isolate the signing/encryption processes from firmware image generation. This way, there is no need to secure the entire development environment, only a secure location in which the firmware images get signed and encrypted.

Requirements:

  1. Enable Trustfence in your Yocto project by adding the following line to your local.conf file:

    INHERIT += "trustfence"
  2. Use that project to generate an SDK.

    ~$ bitbake -c populate_sdk dey-image-qt
  3. Install the generated SDK and source it.

    ~$ <YOCTO_PROJECT_FOLDER>/tmp/deploy/sdk/dey-glibc-x86_64-dey-image-qt-x11-cortexa9t2hf-neon-toolchain-2.6-r3.sh
    ~$ source <SDK_INSTALLATION_PATH>/environment-setup-cortexa9t2hf-neon-dey-linux-gnueabi

Sign and encrypt U-Boot images

Once the toolchain is installed and sourced, you can follow these steps to sign a U-Boot image:

  1. Configure the signature process using the following environment variables:

    • CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. A new PKI tree is generated if an empty folder is specified.

    • CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.

    • NO_DCD: (Optional) Remove device configuration data from the signed images. This produces a signed U-Boot image able to boot via USB.

    • CONFIG_UNLOCK_SRK_REVOKE: (Optional) If defined, the signed U-Boot can revoke keys on a closed device.

    • ENABLE_ENCRYPTION: (Optional) If defined, the signed images are encrypted.

    • CONFIG_DEK_PATH: (Mandatory if ENABLE_ENCRYPTION is defined, otherwise ignored) The path to the data encryption key. If the file does not exist, a random 256-bit file is generated.

      You can also define these variables in a file .config located in the current path:

      .config
      CONFIG_SIGN_KEYS_PATH="/path/to/keys"
      CONFIG_KEY_INDEX="3"
      
      # In order to encrypt the images, also add the following:
      #export ENABLE_ENCRYPTION="y"
      #export CONFIG_DEK_PATH="/path/to/keys/dek.bin"
  2. Execute the trustfence-sign-uboot.sh script with the input file (U-Boot image to be signed) as the first parameter and the output file (signed and possibly encrypted U-Boot image) as the second parameter:

    ~$ trustfence-sign-uboot.sh u-boot.imx u-boot-signed.imx
    Using existing PKI tree
    Signed image ready: u-boot-signed.imx

The tool will also generate the SRK_efuses.bin file for the PKI tree used.

Sign and encrypt other images

The trustfence-sign-kernel.sh script allows the following artifacts to be signed and encrypted:

  • Linux images

  • DTBs

  • U-Boot bootscripts

  • Initramfs

To use the script, follow these steps:

  1. Configure the signature process using the following environment variables:

    • CONFIG_SIGN_KEYS_PATH: (Mandatory) The path to the PKI tree. If an empty path is specified, a new PKI tree is generated

    • CONFIG_KEY_INDEX: (Optional) Default value is 0. Index of the key to use for signatures.

    • CONFIG_DEK_PATH: (Optional) Path to the data encryption key. If undefined, the images will not be encrypted. If the file does not exist, a random 256-bit file is generated.

      In a similar way, you can also define these variables in a .config file located in the current path:

      .config
      CONFIG_SIGN_KEYS_PATH="/path/to/keys"
      CONFIG_DEK_PATH="/path/to/dek"
  2. Execute the trustfence-sign-kernel.sh script. Usage of the script is as follows:

    Usage: trustfence-sign-kernel.sh [OPTIONS] input-unsigned-image output-signed-image
    
        -p <platform>    select platform for the project
        -b               sign/encrypt bootscript
        -d               sign/encrypt DTB
        -i               sign/encrypt initramfs
        -l               sign/encrypt Linux image
    
    Supported platforms: ccimx6, ccimx6ul, ccimx8x

    The following example signs and encrypts the zImage:

    trustfence-sign-kernel.sh -p ccimx6 -l zImage-signed