Setup secure boot chain of trust for self built images

Which Khadas SBC do you use?

VIM3

Which system do you use? Android, Ubuntu, OOWOW or others?

Ubuntu

Which version of system do you use? Khadas official images, self built images, or others?

self built images

Please describe your issue below:

Hello,

Is there a detailed procedure explaining how to setup the chain of trust (using a set of keys generated at random) for building an image with secure boot enabled ?

Looking at the U-Boot source code on github is seems that secure boot is already enabled by default
u-boot/kvim3.h at khadas-vims-v2015.01 · khadas/u-boot · GitHub
//support secure boot

#define CONFIG_AML_SECURE_UBOOT 1

And there is also a default signature key file present:
h ttps://github.com/khadas/u-boot/blob/khadas-vims-v2015.01/board/khadas/kvim3/aml-user-key.sig

There are also Amlogic tools available on the download page to generate a aml-user-key.sig file with ramdom keys:
https://dl.khadas.com/Tools/Aml-signtool-G12A.zip

But it would help to have more details on:

  • how to use the Aml-signtool
  • what is required to do on the Amlogic chip (write data in OTP, how ? something else ?)
  • what has to be done in U-Boot (simply put the new aml-user-key.sig and build ? something else ?)
  • some more steps ?

Thanks a lot in advance for your help