Khadas Docs

Amazing Khadas, always amazes you!

User Tools

Site Tools

Home / products / sbc / vim3 / applications / secureboot
products:sbc:vim3:applications:secureboot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
products:sbc:vim3:applications:secureboot [2023/08/29 23:45]
nick created 		products:sbc:vim3:applications:secureboot [2023/08/30 02:48] (current)
nick
Line 1: Line 1:
 ====== VIM3/3L Secureboot ====== ====== VIM3/3L Secureboot ======
 +
 +===== Introduction =====
 +
 +The default image compiled by [[kg>fenix | Fenix ]] for ''Ubuntu/Debian'' does not support Secureboot. For ordinary users, Secureboot functionality is not necessary. 
 +
 +Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore. 
 +
 +If you want to enable the Secureboot feature, you can follow this documentation to apply extra patches and sign the image.
 +
 +<WRAP important >
 +  * Only support eMMC installation image.
 +</WRAP>
 +
 +
 +===== Warning =====
 +
 +<WRAP alert >
 +Before you start, please note:
 +  * You know what you are doing and what you want to do.
 +  * Once the board is secured, we can't provide proper support for it anymore.
 +  * The Secureboot key can only be flashed once, and it is irreversible, so caution is advised when flashing.
 +  * The generated key must be securely stored because once the key is flashed, you will only be able to flash images signed with this key in the future.
 +  * Make sure to conduct thorough testing and ensure that the image is production-ready before enabling the Secureboot feature.
 +</WRAP>
 +
 +
 +===== Apply patches to support secureboot =====
 +
 +
 +Download and apply [[dl>development/patches/vim3-secureboot-patches.tgz | patches ]].
 +
 +```shell
 +~/vim3-secureboot-patches$ tree
 +.
 +├── fenix
 +│   └── 0001-packages-images_upgrade-bump-to-1b40968.patch
 +└── u-boot
 +    └── 0001-don-t-decrypt-dtb-when-secureboot-enabled.patch
 +
 +2 directories, 2 files
 +```
 +
 +There 2 patches, one is for Fenix, and the other one is for u-boot.
 +
 +===== Compile the image =====
 +
 +
 +You can compile the image after apply the patches.
 +
 +===== Generate the signing key =====
 +
 +
 +Download the [[dl>products/vim3/tool/aml-signtool-g12a.zip | sign tool]] decompress it and double click ''AmlEToolV3.exe'' to open it:
 +
 +{{:products:sbc:vim3:applications:secureboot-1.webp?600|}}
 +
 +Select ''OneStepGenKey'' and check ''2048'' then click ''Generate'' to generate the keys:
 +
 +{{:products:sbc:vim3:applications:secureboot-2.webp?600|}}
 +
 +
 +{{:products:sbc:vim3:applications:secureboot-3.webp?600|}}
 +
 +The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time:
 +
 +{{:products:sbc:vim3:applications:secureboot-4.webp?600|}}
 +
 +You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'':
 +
 +  * ''aml-user-key.sig'' - Used to sign the images
 +  * ''SECURE_BOOT_SET'' - Used to burn the key
 +
 +===== Encrypt the image =====
 +
 +<WRAP important >
 +  * Only support sign tool under Windows system.
 +</WRAP>
 +
 +Also using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before, 
 +and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then import the image that needs to be encrypted in the ''Input'':
 +
 +
 +{{:products:sbc:vim3:applications:secureboot-5.webp?600|}}
 +
 +
 +{{:products:sbc:vim3:applications:secureboot-6.webp?600|}}
 +
 +
 +{{:products:sbc:vim3:applications:secureboot-7.webp?600|}}
 +
 +
 +Then click ''Encrypt'' to encrypt the image.
 +
 +{{:products:sbc:vim3:applications:secureboot-8.webp?600|}}
 +
 +{{:products:sbc:vim3:applications:secureboot-9.webp?600|}}
 +
 +
 +
 +After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix, 
 +e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''.
 +
 +
 +Next, we will explain how to flash this encrypted image.
 +
 +
 +===== Flash encrypted image  =====
 +
 +<WRAP important >
 +  * Only support USB flash tool under Windows system.
 +</WRAP>
 +
 +Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool]], after installation, you need to copy the previously generated file 
 +''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory,e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''.
 +
 +{{:products:sbc:vim3:applications:secureboot-10.webp?600|}}
 +
 +Open the USB flashing tool, import the encrypted image, check the ''secure_boot_set'' option, and then click ''Start'' to start the flashing process.
 +
 +{{:products:sbc:vim3:applications:secureboot-11.webp?600|}}
 +
 +
 +<WRAP important >
 +The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash.
 +
 +Do not check it again for next time flashing with the same board.
 +</WRAP>
 +
 +===== See Also  =====
 +
 +You can find some documentations about how to flash the keys with Amlogic USB Flash Tool from the USB Flash Tool: ''About->Key Help'' and ''About->Burning Key Instruction'':
 +
 +{{:products:sbc:vim3:applications:secureboot-12.webp?600|}}
 +
 +
 +
  
Last modified: 2023/08/29 23:45 by nick

Page Tools

Khadas Site

Khadas Community

Khadas GitHub

Khadas Downloads