To sign an image, you must first generate a Public Key Infrastructure (PKI).
Digi Embedded Yocto automatically generates one if not provided. This topic explains how to manually generate a PKI tree for the ConnectCore MP25.
Generate a Public Key Infrastructure (PKI) tree
-
Install an SDK to have access to the signing tools. See Install a pre-compiled toolchain for instructions.
-
Create a folder to hold the keys and export variable
CONFIG_SIGN_KEYS_PATHwith its path, for instance:$ export CONFIG_SIGN_KEYS_PATH="/home/username/trustfence/mydevice" $ cd ${CONFIG_SIGN_KEYS_PATH} -
Generate the PKI tree with:
$ trustfence-sign-artifact.sh -p ccmp25This generates a subdirectory
keys/with:-
encryption_key_fsbl.bin: encryption/decryption Master Key for FSBL-A and FSBL-M -
encryption_key_fip.bin: encryption/decryption Master Key for FIP -
encryption_key_rproc.bin: encryption/decryption Master Key for remote processor (Cortex-M33) -
fit/fitcfg.crt: public key for FIT configuration nodes -
fit/fitcfg.key: private key for FIT configuration nodes -
fit/fitimg.crt: public key for FIT image nodes -
fit/fitimg.key: private key for FIT image nodes -
keys/key_pass.txt: the eight randomly generated passwords in plain text -
keys/privateKey00..07.pem: the eight private keys -
keys/publicKey00..07.pem: the eight public keys -
keys/publicKeyHash00..07.bin: hashes of the eight ECC public keys -
keys/publicKeysHashHashes.bin: {pkh-contents} -
rproc-keys/key_pass.txt: the randomly generated password in plain text (for Cortex-M33) -
rproc-keys/privateKey.pem: the private key (for Cortex-M33) -
rproc-keys/publicKey.pem: the public key (for Cortex-M33) -
rproc-keys/publicKey.der: the public key info (for Cortex-M33) -
rproc-keys/publicKeyhash.bin: {rproc-pkh-contents} (for Cortex-M33)
-
-
Add this line to your
conf/local.conffile to use the generated keys:TRUSTFENCE_KEYS_PATH = "/home/username/trustfence/mydevice"
