Enable Secure Boot on linux?


Can secure boot be implemented in debian/snappy ubuntu core linux releases?

What kind of effort would be involved?



Secure boot requires a primary bootloader configured with signature checking and the current releases do not support this.

The next Debian-based release (currently hoped to be 17.04) is expected to ship with signature checking enabled and with LK set up appropriately and will therefore provide a fully worked example of how to perform a secure boot. However… these images serve only as an example. They will not achieve any meaningful secure boot because the keys used to sign the release will be well known “dummy” keys.

To the example sequence you will have to add an appropriate primary bootloader and resign the later components with your own key.


PBL is readonly right?so we have to buy new MCU msm8969 once it be updated to support secure boot,is it?
really looking forward to the secure boot function.


well, the ‘primary bootloader’ mentioned by @danielt above is actually the ‘secondary bootoader’ in Qualcomm terminology. e.g.

PBL: ROM code
SBL: first stage bootloader
APPSBL : application bootloader (aka LK)


Sorry for the lose use of terminology on my part…


ok… so probably there is no way to verify SBL(first stage bootloader)?


Pretty much. On DB410C the secure boot is purely a demonstrator. However
other boards based on the same SoC (but with appropriate keys burned in
to signature check SBL) full secure boot can be implemented by copying
the demonstrator and replacing the keys.



is the signature check a parameter set in the SBL code or is it set into the PBL during manufacturing process?


Hi skxo

Personally I suspect that the answer is both (as part of a chain of trust) but I’m only happy to say this publicly because I don’t know for sure.

At this level of detail we start reach the limit of what can be usefully discussed on the forums. Secure boot on DB410C will be a demonstrator with well known keys. If you want to develop a secure boot implementation for the SoC you need to start a conversation with Qualcomm. They control both manufacturing process and access to the SBL source code.