Khadas Docs

Amazing Khadas, always amazes you!

User Tools

Site Tools

Home / products / sbc / vim3 / applications / secureboot
products:sbc:vim3:applications:secureboot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
products:sbc:vim3:applications:secureboot [2023/08/30 02:30]
nick 		products:sbc:vim3:applications:secureboot [2023/08/30 02:48] (current)
nick
Line 7: Line 7:
 Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore.  Enabling Secureboot means that the board can only flash image signed with the same key, it won't be possible to flash any other unsigned image or image signed with a different key anymore. 
  
-If you need to add Secureboot support, you will require additional patches to enable it.+If you want to enable the Secureboot feature, you can follow this documentation to apply extra patches and sign the image. 
 + 
 +<WRAP important > 
 +  * Only support eMMC installation image. 
 +</WRAP> 
  
 ===== Warning ===== ===== Warning =====
Line 39: Line 44:
 There 2 patches, one is for Fenix, and the other one is for u-boot. There 2 patches, one is for Fenix, and the other one is for u-boot.
  
-===== Compile the images =====+===== Compile the image =====
  
  
-You can compile the images after apply the patches.+You can compile the image after apply the patches.
  
 ===== Generate the signing key ===== ===== Generate the signing key =====
Line 58: Line 63:
 {{:products:sbc:vim3:applications:secureboot-3.webp?600|}} {{:products:sbc:vim3:applications:secureboot-3.webp?600|}}
  
-The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time, e.g.+The path of generated keys is in the ''key'' directory within the current sign tool's directory, named after the current time:
  
 {{:products:sbc:vim3:applications:secureboot-4.webp?600|}} {{:products:sbc:vim3:applications:secureboot-4.webp?600|}}
Line 64: Line 69:
 You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'': You need to save the files ''aml-user-key.sig'' and ''SECURE_BOOT_SET'':
  
-aml-user-key.sig - Used to sign the images +  * ''aml-user-key.sig'' - Used to sign the images 
-SECURE_BOOT_SET - Used to burn the key+  * ''SECURE_BOOT_SET'' - Used to burn the key
  
-===== Encrypt the images =====+===== Encrypt the image =====
  
 +<WRAP important >
 +  * Only support sign tool under Windows system.
 +</WRAP>
  
-Still using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,  +Also using the sign tool ''AmlEToolV3.exe'', select ''Entire'', import the ''User Key'', which is the file ''aml-user-key.sig'' generated before,  
-and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Thenimport the image that needs to be encrypted in the ''Input'':+and also check ''Only_BootLoader_Encrypt'' and ''Disable OTA sign''. Then import the image that needs to be encrypted in the ''Input'':
  
  
 {{:products:sbc:vim3:applications:secureboot-5.webp?600|}} {{:products:sbc:vim3:applications:secureboot-5.webp?600|}}
- 
  
  
Line 93: Line 100:
  
 After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix,  After successful signing, a new encrypted image will be generated in the original image directory, with a filename containing the ''secureboot'' suffix, 
-e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''+e.g. if the orignal file is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.img'', then the encrypted image is ''vim3-ubuntu-22.04-server-linux-4.9-fenix-1.5.2-230830-emmc-develop.20230830105011.secureboot.img''.
  
  
Line 101: Line 108:
 ===== Flash encrypted image  ===== ===== Flash encrypted image  =====
  
 +<WRAP important >
 +  * Only support USB flash tool under Windows system.
 +</WRAP>
  
-Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool), after installation, you need to copy the previously generated file +Download and install the [[dl>products/vim3/tool/usb_burning_tool_v2.2.0.zip | USB flash tool]], after installation, you need to copy the previously generated file 
 ''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory,e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''. ''SECURE_BOOT_SET'' to the ''licence'' directory within the USB tool installation directory,e.g. ''C:\Program Files (x86)\Amlogic\USB_Burning_Tool\license''.
  
Line 114: Line 124:
 <WRAP important > <WRAP important >
 The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash. The key can only be flashed once, meaning you should only check ''secure_boot_set'' during the first encryption image flash.
-Do not check it again for subsequent flashes or it will fail.+ 
 +Do not check it again for next time flashing with the same board.
 </WRAP> </WRAP>
 +
 +===== See Also  =====
 +
 +You can find some documentations about how to flash the keys with Amlogic USB Flash Tool from the USB Flash Tool: ''About->Key Help'' and ''About->Burning Key Instruction'':
 +
 +{{:products:sbc:vim3:applications:secureboot-12.webp?600|}}
 +
 +
 +
 +
Last modified: 2023/08/30 02:30 by nick

Page Tools

Khadas Site

Khadas Community

Khadas GitHub

Khadas Downloads