How to sign linux-kernel image?


#1

Hi all,
How to sign kernel image in linux with own secured keys?

Regards,
Laxman


#2

The answer varies. What platform are you working on?


#3

Hi danielt,
i’m working on 8916 only.

Regards,
Laxman


#4

So on DB410C we don’t have an end to end example, mostly because the SoC in DB410C is not configured with any secure keys (and also because its a developer board and it would inconvenient to have signed kernels). However there is information in the release notes on how to build a signed LittleKernel (scroll down):
http://builds.96boards.org/releases/dragonboard410c/linaro/debian/latest/

Basically the DB410C is configured to require that a signature block exists but it will not validate it. The purpose of this is to make the flow into LK the same for both non-secure devices like DB410C and secure devices with private keys making it easier to reuse the components from DB410C on similar boards.

However, once you have a signed LK everything should end up “the same as Android” since we use the same abootimg format for debian and Android kernels. Thus, if you able to source a SoC with private keys installed you should also be able to access information from Qualcomm on how Android kernels are signed.


#5

Thanks danielt for the info…

Regards,
Laxman