How to sign linux-kernel image?


Hi all,
How to sign kernel image in linux with own secured keys?



The answer varies. What platform are you working on?


Hi danielt,
i’m working on 8916 only.



So on DB410C we don’t have an end to end example, mostly because the SoC in DB410C is not configured with any secure keys (and also because its a developer board and it would inconvenient to have signed kernels). However there is information in the release notes on how to build a signed LittleKernel (scroll down):

Basically the DB410C is configured to require that a signature block exists but it will not validate it. The purpose of this is to make the flow into LK the same for both non-secure devices like DB410C and secure devices with private keys making it easier to reuse the components from DB410C on similar boards.

However, once you have a signed LK everything should end up “the same as Android” since we use the same abootimg format for debian and Android kernels. Thus, if you able to source a SoC with private keys installed you should also be able to access information from Qualcomm on how Android kernels are signed.


Thanks danielt for the info…