Differences

This shows you the differences between two versions of the page.

--- products:sbc:vim3:applications:secureboot [2023/08/30 00:08]
nick
+++ products:sbc:vim3:applications:secureboot [2023/08/30 02:48] (current)
nick
@@ Line 1: / Line 1: @@
 ====== VIM3/3L Secureboot ======
-WIP:
+===== Introduction =====
-save temporary
+The default image compiled by [[kg>fenix | Fenix ]] for ''Ubuntu/Debian'' does not support Secureboot. For ordinary users, Secureboot functionality is not necessary.
-===== Introduction =====
+Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore.
-The default firmware compiled by Fenix for Ubuntu/Debian does not support Secureboot. For ordinary users, Secureboot functionality is not necessary. Enabling Secureboot means that the board can only flash firmware signed with the same key. It won't be possible to flash any other unsigned firmware or firmware signed with a different key. Additionally, the process of flashing the key is irreversible.
+If you want to enable the Secureboot feature, you can follow this documentation to apply extra patches and sign the image.
-If you need to add Secureboot support, you will require additional patches to enable it.
+<WRAP important >
+  * Only support eMMC installation image.
+</WRAP>
+===== Warning =====
+<WRAP alert >
+Before you start, please note:
+  * You know what you are doing and what you want to do.
+  * Once the board is secured, we can't provide proper support for it anymore.
+  * The Secureboot key can only be flashed once, and it is irreversible, so caution is advised when flashing.
+  * The generated key must be securely stored because once the key is flashed, you will only be able to flash images signed with this key in the future.
+  * Make sure to conduct thorough testing and ensure that the image is production-ready before enabling the Secureboot feature.
+</WRAP>
@@ Line 30: / Line 44: @@
 There 2 patches, one is for Fenix, and the other one is for u-boot.
-===== Compile the images =====
+===== Compile the image =====
-You can compile the images after apply the patches.
+You can compile the image after apply the patches.
 ===== Generate the signing key =====
@@ Line 40: / Line 54: @@
 Download the [[dl>products/vim3/tool/aml-signtool-g12a.zip | sign tool]] decompress it and double click ''AmlEToolV3.exe'' to open it:
-![image|526x500](upload://lghDNq2vxsnV1ofkbrYn0nXIvj7.png)
+{{:products:sbc:vim3:applications:secureboot-1.webp?600|}}
 Select ''OneStepGenKey'' and check ''2048'' then click ''Generate'' to generate the keys:
-![2|521x499](upload://9Kyp54MGHtFTvKTsqN4wUIHDKAK.png)
+{{:products:sbc:vim3:applications:secureboot-2.webp?600|}}
-![3|529x500](upload://3FbHjviDbpSWom566xfpY7cHd7M.png)
-The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time, e.g.
+{{:products:sbc:vim3:applications:secureboot-3.webp?600|}}
-![image|690x312](upload://jNHNYHeqd5UvEoAnnwKoMUhNm4m.png)
+The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time:
+{{:products:sbc:vim3:applications:secureboot-4.webp?600|}}
 You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'':
-- aml-user-key.sig - Used to sign the images
+  * ''aml-user-key.sig'' - Used to sign the images
-- SECURE_BOOT_SET - Used to burn the key
+  * ''SECURE_BOOT_SET'' - Used to burn the key
-===== Encrypt the images =====
+===== Encrypt the image =====
+<WRAP important >
+  * Only support sign tool under Windows system.
+</WRAP>
-Still using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before, and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then, import the image that needs to be encrypted in the ''Input'':
+Also using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,
+and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then import the image that needs to be encrypted in the ''Input'':
-![4|528x500](upload://mtqNEVaT7ms87YectBEynCGUAoo.png)
+{{:products:sbc:vim3:applications:secureboot-5.webp?600|}}
-![image|690x332](upload://zNSFSR7sccGvplEC1TZVqIPo1Es.png)
-![6|521x500](upload://hxAp9FCCRivljCRZwlyB13SEw3A.png)
+{{:products:sbc:vim3:applications:secureboot-6.webp?600|}}
+{{:products:sbc:vim3:applications:secureboot-7.webp?600|}}
 Then click ''Encrypt'' to encrypt the image.
-![7|521x500](upload://mmwZxq6OQNjC6OY9eyrRSQG297i.png)
+{{:products:sbc:vim3:applications:secureboot-8.webp?600|}}
-![8|524x500](upload://sv5JVgrkYvr9k6EHXF3g6fUjbcN.png)
+{{:products:sbc:vim3:applications:secureboot-9.webp?600|}}
+After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix,
+e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''.
+Next, we will explain how to flash this encrypted image.
+===== Flash encrypted image  =====
+<WRAP important >
+  * Only support USB flash tool under Windows system.
+</WRAP>
+Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool]], after installation, you need to copy the previously generated file
+''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory，e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''.
+{{:products:sbc:vim3:applications:secureboot-10.webp?600|}}
-签名成功后会在原始固件目录下生成一个新的加密固件，命名中包含`secureboot`后缀，如：原始固件为`vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img`，则加密后的固件为`vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img`。
+Open the USB flashing tool, import the encrypted image, check the ''secure_boot_set'' option, and then click ''Start'' to start the flashing process.
-接下来将会介绍如何烧录这个加密的固件。
+{{:products:sbc:vim3:applications:secureboot-11.webp?600|}}
-===== 烧录加密固件 =====
+<WRAP important >
+The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash.
-下载并安装[USB烧录工具](https://dl.khadas.com/products/vim3/tool/usb_burning_tool_v2.2.0.zip)，安装完成后需要把之前生成的文件`SECURE_BOOT_SET `拷贝到USB安装工具目录下的`licence`目录下，如：**C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license**
+Do not check it again for next time flashing with the same board.
+</WRAP>
-![image|690x225](upload://rDGqYwbOUpPDJnwDkFQkGpRvxBx.png)
+===== See Also  =====
-打开USB烧录工具，导入加密的固件，同时勾选`secure_boot_set`选项，然后点击`Start`开始烧录。
+You can find some documentations about how to flash the keys with Amlogic USB Flash Tool from the USB Flash Tool: ''About->Key Help'' and ''About->Burning Key Instruction'':
-![9|690x493](upload://zu1OGk0Am0iJxYSBE28Vb602lfY.png)
+{{:products:sbc:vim3:applications:secureboot-12.webp?600|}}
-**注意：key只能烧录一次，即只在第一次烧录加密固件时勾选`secure_boot_set`，后面再次烧录时不要勾选，否则会烧录失败。**
-===== 警告 =====
-- Secureboot的key只能烧录一次，是不可逆的，所以在烧录时需要慎重
-- 生成的key需要保管好，因为一旦烧录了key，那么以后就只能烧录用这个key签名的固件
-- 一定要做完详细的测试后，确保固件可以用于生产时才开启Secureboot功能

Khadas Docs

User Tools

Site Tools

Differences

Page Tools