Enable Secure boot + DB410C with Linux


#1

Hi,

I am exploring secure boot feature on dragonboard 410c. For that I have downloaded Qualcomm LE release from create point and following steps mentioned in release note document(APQ8016.LE.1.0 Linux Enabled Release 1.0.33 for APQ8016E).

I have created signed images as mentioned in release document and also generated sec.dat file.
case 1: I have flashed all the signed images on the board without flashing the sec.dat file on Dragon board 410c. Board will up successfully with signed images. (without flashing sec.dat file).

case2: On the top of above case, I flashed the sec.dat file and given power cycle the DB410c board. It looks like SBL is up but not able to up lk(emmc_appsboot.mbn).

case3: After all above stuff, I have flashed the unsigned images using QFILL and its successfully flashed the unsigned images and board will also booting up fine. As mentioned in the release document once fuse blow we can flash signed images only. Does it mean that fuse is not blow in the 410c board?

Thanks & Regards,
Darshak


#2

I can’t help much with the other questions but 410c is a developer board and is not configured for secure boot, nor AFAIK does it even have any private keys configured.

I believe the information about secure boot is shared to allow vendors of custom APQ8016E boards to enable secure boot on their platforms. Similarly recent Linaro releases require that LK be signed (to make it easier for vendors of custom boards to reuse our work) but the secondary bootloader doesn’t actually check the signature due to the absence any private keys.


#3

Hi Daniel ,

I know this is a old topic …Anyway but I have one question to this .So how the private key should be burned to the device to enable SBL signature validation ( will it be part of the sec.dat ?)

Regards


#4

… and I’m afraid that is still the case. To discuss secure provisioning of these parts you must work with Qualcomm or Arrow.


#5

Hi Daniel , I have a one more question regarding the LK functionality to check the kernel signature . As I saw LK has build in certificate and the oem_keystore . On the start LK checks the keystore partition if not exist I will boot using the oem_kystore . My question is how user can create it’s own keystore binary data and what is the the content of it ( just the sign collection of RSA keys ? ) Also is it possible to sign the boot.img without the Android build system tools?


#6

AFAIK no official DB410C image enables any form of signed boot so I’m afraid I have to play the “I don’t know” card again here.