How to use the Signtool Utility to encrypt and sign the unsigned bootstream (loader file generated for an application, example:bootstream.ldr)

Q:

How to use the Signtool Utility to encrypt and sign the unsigned bootstream (loader file generated for an application, example:bootstream.ldr)?

--------------

A:

Signtool Utility comes along with the CCES package which can be used to sign and encrypt the unsigned loader stream and make it secure.

In order to do this, once we have generated the unsigned bootstream through CCES in binary format following commands can be used to sign and encrypt the bootstream:

Now, how to use SignTool:

1. To generate a Public/Private key pair

          Signtool genkeypair –algo ecdsa224 –outfile <keypair_file>

   2. To get the public key from the key pair file

          Signtool getkey –key <keypair_file> -type BLKey –outfile <pubkey_file>

   3. To sign a boot image (BLp)

          Signtool sign –type BLp –prikey <keypair_file> -infile <bootstream_file> -outfile <signed_bootstream_file>

   4. To sign and encrypt a boot image (BLx)

          Signtool sign –type BLx –prikey <keypair_file> -enckey <encryption_key_file> -infile <bootstream_file> -outfile <signed_bootstream_file>

          Note: <encryption_key_file> is 128bit encryption key that is used for encryption and decryption

   5. To sign and encrypt a boot image (BLw)

           Signtool sign –type BLx –prikey <keypair_file> -enckey <encryption_key_file> -wrapkey <wrap_key_file> -infile <bootstream_file> -outfile           <signed_bootstream_file>

     Note: <wrap_key_file> holds another 128-bit key which is used to “wrap” the encryption key used to encrypt the boot stream.

Now below command lines shows the same steps used above for a given unsigned bootstream (bootstream.ldr) to add more clearity:

1. Generate an ECDSA key pair using signtool .

"C:\Analog Devices\CrossCore Embedded Studio 1.1.0\signtool.exe" genkeypair -algo ecdsa224  -outfile keypair.bin

   2. Extract the public key from above generated ECDSA key pair.

            "C:\Analog Devices\CrossCore Embedded Studio 1.1.0\signtool.exe" getkey -key keypair.bin  -type BLKey -outfile pubkey.bin

   3. Now to just sign the unsigned bootstream (bootstream.ldr) use the following command:

"C:\Analog Devices\CrossCore Embedded Studio 1.1.0\signtool.exe" sign -type BLp -prikey keypair.bin -infile bootstream.ldr -outfile blp_signed_bootstream.bin

   4. In order to sign and encrypt the bootstream, two approaches are available:

a. BLx:

"C:\Analog Devices\CrossCore Embedded Studio 1.1.0\signtool.exe" sign -type BLx -prikey keypair.bin -enckey aeskey.bin -infile bootstream.ldr -outfile blx_signed_bootstream.dat

b. BLw:

"C:\Analog Devices\CrossCore Embedded Studio 1.1.0\signtool.exe" sign -type BLw -prikey keypair.bin -enckey aeskey.bin -wrapkey wrapperkey.bin -infile bootstream.ldr -outfile blw_signed_bootstream.dat

Now last step required is to program the corresponding encryption/wrapper key and the public key into the OTP for secure booting.