Setup secure boot chain of trust for self built images

Which Khadas SBC do you use?


Which system do you use? Android, Ubuntu, OOWOW or others?


Which version of system do you use? Khadas official images, self built images, or others?

self built images

Please describe your issue below:


Is there a detailed procedure explaining how to setup the chain of trust (using a set of keys generated at random) for building an image with secure boot enabled ?

Looking at the U-Boot source code on github is seems that secure boot is already enabled by default
u-boot/kvim3.h at khadas-vims-v2015.01 · khadas/u-boot · GitHub
//support secure boot


And there is also a default signature key file present:
h ttps://

There are also Amlogic tools available on the download page to generate a aml-user-key.sig file with ramdom keys:

But it would help to have more details on:

  • how to use the Aml-signtool
  • what is required to do on the Amlogic chip (write data in OTP, how ? something else ?)
  • what has to be done in U-Boot (simply put the new aml-user-key.sig and build ? something else ?)
  • some more steps ?

Thanks a lot in advance for your help