Post Go back to editing

Secure Boot Loader stream generation

How to generate secure loader stream in the formats Blp, Blx and Blw?

tagged content
[edited by: JValeriani at 7:26 PM (GMT 0) on 3 Sep 2019]
  • CCES provides signtool utility to generate secure boot streams in formats Blp, Blx or Blw. A sample command to do the same is given here. The same tool has options to generate the ECDSA key pair and the encryption keys.

    Generation of Blp boot loader stream:

    "<CCES installation path>\signtool.exe" sign -type BLp -attribute 0x80000002=<BCODE value> -attribute 0x80000003=<give 256 or 224 here based on the EDCSA type> -prikey <ecdsa keypair.der>  -infile <input loader stream file to be signed> -outfile <output file path>

    Generation of Blw boot loader stream

    "<CCES installation path>\signtool.exe" sign -type BLw -prikey <ecdsa keypair.der> -infile <input loader stream file to be signed> -enckey <encryption key.bin> -wrapkey <wrapkey.bin> -outfile <output file path>

     For a complete list of the options supported by this tool, use the help option as below

    "<CCES installation path>\signtool.exe" -help