Differences

This shows you the differences between two versions of the page.

--- products:sbc:vim3:applications:secureboot [2023/08/29 23:45]
nick created
+++ products:sbc:vim3:applications:secureboot [2025/05/14 21:41] (current)
nick
@@ Line 1: / Line 1: @@
 ====== VIM3/3L Secureboot ======
+===== Introduction =====
+The default image compiled by [[kg>fenix | Fenix ]] for ''Ubuntu/Debian'' does not support Secureboot. For ordinary users, Secureboot functionality is not necessary.
+Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore.
+If you want to enable the Secureboot feature, you can follow this documentation to apply extra patches and sign the image.
+<WRAP important >
+  * Only support eMMC installation image.
+</WRAP>
+===== Warning =====
+<WRAP alert >
+Before you start, please note:
+  * You know what you are doing and what you want to do.
+  * Once the board is secured, we can't provide proper support for it anymore.
+  * The Secureboot key can only be flashed once, and it is irreversible, so caution is advised when flashing.
+  * The generated key must be securely stored because once the key is flashed, you will only be able to flash images signed with this key in the future.
+  * Make sure to conduct thorough testing and ensure that the image is production-ready before enabling the Secureboot feature.
+</WRAP>
+===== Apply patches to support secureboot =====
+Download and apply [[dl>resources/development/patches/vim3-secureboot-patches.tgz | patches ]].
+```shell
+~/vim3-secureboot-patches$ tree
+.
+├── fenix
+│   └── 0001-packages-images_upgrade-bump-to-1b40968.patch
+└── u-boot
+    └── 0001-don-t-decrypt-dtb-when-secureboot-enabled.patch
+directories, 2 files
+```
+There 2 patches, one is for Fenix, and the other one is for u-boot.
+===== Compile the image =====
+You can compile the image after apply the patches.
+===== Generate the signing key =====
+Download the [[dl>products/vim3/tools/aml-signtool-g12a.zip | sign tool]] decompress it and double click ''AmlEToolV3.exe'' to open it:
+{{:products:sbc:vim3:applications:secureboot-1.webp?600|}}
+Select ''OneStepGenKey'' and check ''2048'' then click ''Generate'' to generate the keys:
+{{:products:sbc:vim3:applications:secureboot-2.webp?600|}}
+{{:products:sbc:vim3:applications:secureboot-3.webp?600|}}
+The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time:
+{{:products:sbc:vim3:applications:secureboot-4.webp?600|}}
+You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'':
+  * ''aml-user-key.sig'' - Used to sign the images
+  * ''SECURE_BOOT_SET'' - Used to burn the key
+===== Encrypt the image =====
+<WRAP important >
+  * Only support sign tool under Windows system.
+</WRAP>
+Also using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,
+and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then import the image that needs to be encrypted in the ''Input'':
+{{:products:sbc:vim3:applications:secureboot-5.webp?600|}}
+{{:products:sbc:vim3:applications:secureboot-6.webp?600|}}
+{{:products:sbc:vim3:applications:secureboot-7.webp?600|}}
+Then click ''Encrypt'' to encrypt the image.
+{{:products:sbc:vim3:applications:secureboot-8.webp?600|}}
+{{:products:sbc:vim3:applications:secureboot-9.webp?600|}}
+After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix,
+e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''.
+Next, we will explain how to flash this encrypted image.
+===== Flash encrypted image  =====
+<WRAP important >
+  * Only support USB flash tool under Windows system.
+</WRAP>
+Download and install the [[dl>products/vim3/tools/usb_burning_tool_v2.2.0.zip | USB flash tool]], after installation, you need to copy the previously generated file
+''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory，e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''.
+{{:products:sbc:vim3:applications:secureboot-10.webp?600|}}
+Open the USB flashing tool, import the encrypted image, check the ''secure_boot_set'' option, and then click ''Start'' to start the flashing process.
+{{:products:sbc:vim3:applications:secureboot-11.webp?600|}}
+<WRAP important >
+The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash.
+Do not check it again for next time flashing with the same board.
+</WRAP>
+===== See Also  =====
+You can find some documentations about how to flash the keys with Amlogic USB Flash Tool from the USB Flash Tool: ''About->Key Help'' and ''About->Burning Key Instruction'':
+{{:products:sbc:vim3:applications:secureboot-12.webp?600|}}

Khadas Docs

User Tools

Site Tools

Differences

Page Tools