Differences

This shows you the differences between two versions of the page.

--- products:sbc:vim3:applications:secureboot [2023/08/30 02:28]
nick
+++ products:sbc:vim3:applications:secureboot [2023/08/30 02:48] (current)
nick
@@ Line 3: / Line 3: @@
 ===== Introduction =====
-The default image compiled by Fenix for Ubuntu/Debian does not support Secureboot. For ordinary users, Secureboot functionality is not necessary.
+The default image compiled by [[kg>fenix | Fenix ]] for ''Ubuntu/Debian'' does not support Secureboot. For ordinary users, Secureboot functionality is not necessary.
-Enabling Secureboot means that the board can only flash image signed with the same key. It won't be possible to flash any other unsigned image or image signed with a different key.
+Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore.
-Additionally, the process of flashing the key is irreversible.
+If you want to enable the Secureboot feature, you can follow this documentation to apply extra patches and sign the image.
+<WRAP important >
+  * Only support eMMC installation image.
+</WRAP>
-If you need to add Secureboot support, you will require additional patches to enable it.
 ===== Warning =====
@@ Line 41: / Line 44: @@
 There 2 patches, one is for Fenix, and the other one is for u-boot.
-===== Compile the images =====
+===== Compile the image =====
-You can compile the images after apply the patches.
+You can compile the image after apply the patches.
 ===== Generate the signing key =====
@@ Line 60: / Line 63: @@
 {{:products:sbc:vim3:applications:secureboot-3.webp?600|}}
-The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time, e.g.
+The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time:
 {{:products:sbc:vim3:applications:secureboot-4.webp?600|}}
@@ Line 66: / Line 69: @@
 You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'':
-- aml-user-key.sig - Used to sign the images
+  * ''aml-user-key.sig'' - Used to sign the images
-- SECURE_BOOT_SET - Used to burn the key
+  * ''SECURE_BOOT_SET'' - Used to burn the key
-===== Encrypt the images =====
+===== Encrypt the image =====
+<WRAP important >
+  * Only support sign tool under Windows system.
+</WRAP>
-Still using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,
+Also using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,
-and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then, import the image that needs to be encrypted in the ''Input'':
+and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then import the image that needs to be encrypted in the ''Input'':
 {{:products:sbc:vim3:applications:secureboot-5.webp?600|}}
@@ Line 95: / Line 100: @@
 After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix,
-e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''
+e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''.
@@ Line 103: / Line 108: @@
 ===== Flash encrypted image  =====
+<WRAP important >
+  * Only support USB flash tool under Windows system.
+</WRAP>
-Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool), after installation, you need to copy the previously generated file
+Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool]], after installation, you need to copy the previously generated file
 ''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory，e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''.
@@ Line 116: / Line 124: @@
 <WRAP important >
 The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash.
-Do not check it again for subsequent flashes or it will fail.
+Do not check it again for next time flashing with the same board.
 </WRAP>
+===== See Also  =====
+You can find some documentations about how to flash the keys with Amlogic USB Flash Tool from the USB Flash Tool: ''About->Key Help'' and ''About->Burning Key Instruction'':
+{{:products:sbc:vim3:applications:secureboot-12.webp?600|}}

Khadas Docs

User Tools

Site Tools

Differences

Page Tools