Sign HLOS kernel image The HLOS kernel image is a binary image. An MBN header must be prefixed to the image before signing; for details, see Hash table segment . If the SecTools version is less than 5.44, modify the
Sign image with SecTools QTI has developed a standalone tool called SecTools to sign images for the secure device. The tool is written in Python and the configuration data is stored in XML format. The config file for image signing
Signing hash and verification The pregenerated signature D (see Figure : 1 ) is decrypted with the public key stored in the certificate, to compare with the local calculated hash digest. If they are the same, image authentication is a
Sign Q6 image for Secure PIL The default configuration for loading the Q6 image from the HLOS kernel uses the non-secure PIL (using the remoteproc framework in the kernel). To support secure PIL loading, the Q6 MBN image must first
Sign rootfs image To sign the rootfs image: Remove padding Sign the rootfs image Append the signature and certificates with the kernel image The rootfs authentication is not enabled by default. To enable the rootfs authentication, define CONFIG_IPQ_ROOTFS_AUTH in U-Boot
Sign with ELF format An ELF image file_to_sign.elf must have m sections, where m ≥ 1. The signing tool must compute an SHA1 digest (D n ) for each loadable section (with PT_LOAD flag), so the result is n (
Single-segment binaries Single-segment binaries are those binaries where the entire loadable code segment is a single piece within the image. To find information such as source address, destination address, image type, the mkheader.py script in the build process calculates more
Software ID The software ID identifies the image type. The bits in the SW_ID OU field in the signed image must match the code. Only the lower 32 bits represent the Software ID, the highest 32 bits must match the
Software version rollback limitation Rollback version prevention has a limitation on a software version that exceeds the maximum eFuse version. For a specified image, if the software version exceeds the maximum eFuse version, the image bypasses the version check. This
Software version rollback prevention use case A device starts with software version 0. A user decides to upgrade the TZ software version to 1; the user must sign TZ images with the new SW_ID : TZ with SW_ID = 0x0000000100000007