Secure Boot User Guide

Owned by Longson Huang
May 20, 2019
4 min read

1.Generate a (private, public) key pair

Enter “./boot/iboot/secure/ed25519/apps“ , first compile with "make", then "./makekeys 1", and will generate the key folder in the current directory, which contains the key_priv_0.hex and key_pub_0.hex key pairs. The operation log is as follows:

Place the generated key_priv_0.hex and key_pub_0.hex in the “./build/tools/secure_sign/sign_keys” directory. When make, the corresponding signature information is generated according to the key pair.

2.Burn OTP

OTP is a memory type of MCU, meaning one-time programmable: after the program is burned into the MCU, it cannot be changed and cleared again.
We use the OTP Tool to burn the user's public_key to the internal OTP location of the IC. Because the OTP is no longer changeable and clearable, ensure that each IC has its own public_key. In the secure boot process, the public_key in the OTP will be read. used to verify the corresponding Image file by ED25519 algorithm.

Burn OTP Related documents:

  • OTP User Tool V1.1.0.0.exe // OTP Tool

  • OTP_TABLE_SP7021_user_zone.xls // Configuration file

  • key_pub_0.hex // public key generated in step 1

Burn Step:

a) open the tool

  1. load “OTP_TABLE_SP7021_user_zone.xls” and “key_pub_0.hex” from the ‘File’ Option, As the pic showing

  2. Select the corresponding port that connected to the platform. The baudrate defaults is set to 115200

b) Click the connect button, and then power on the platform. If connect success, the Tool’s log will displays CONNECT Success. If openport fail, check if there are other serial devices occupying the port.

c) Check the Item that burns the pub key, and then click Write. At this time, the Tool’s log will displays write success , indicating that the programming is successful. You can also click the Read button to read whether the pub key inside the chip is consistent with the programming.

d) At this point, the OTP burn is completed.Close the OTP Tool and then power on again.

3. Code Config

Secure boot contains 3 steps:

  • iboot-->xboot

  • xboot-->uboot

  • uboot-->kernel

iboot-->xboot and uboot-->kernel functions are always open;

xboot-->uboot :Because of the xboot.bin file size limit, xboot needs to be configured to determine whether to enable verification of uboot.

“make menuconfig“ under boot/xboot, the last item is used to indicate whether uboot is verified. The default is open state.

4.Add signature

Because xboot, uboot, and kernel all need to be signed, and the signature tool and priate/public key are the same, the signature processing is handled in the root makefile. After generating the corresponding Image file, then “”make secure“”, a new Image file with signature data will be generated. The process is as shown in the following figure.

Make sure to put the private_key_0.hex and pub_key_0.hex files generated in the first step in the ./build /tools /secure_sign /sign_keys directory.Otherwise, the signature data will be generated using the private/public key under test-key.

The log information at compile time is as follows:

5.Secure Boot flow and UART log messages

  1. OK log: Verification is successful

a) Iboot-->xboot:

b) Xboot-->uboot:

c) Uboot-->kernel:

2.Fail log:

If verify failed, will not jump to the next stage