Build and Sign an Image

You will need to use Yocto to build a signed image that is bootable on secure boot hardware. Please refer to Build the BSP for instructions to set up your host machine to build images with Yocto.

Building a signed image

At the top of $BUILDDIR/conf/local.conf you will find a MACHINE variable. It should be set to “phyboard-electra-am64xx-3”. The -3 machine is the machine with secure boot enabled, so it will be built with signed bootloaders.

You will also need to set your keys in the same $BUILDDIR/conf/local.conf file. There is a section for security configuration with the BOOTLOADER_TI_K3_MPK_KEY variable. Currently it points to PHYTEC’s default key in phytec-dev-ca, which is stored in the same directory as Yocto’s $BUILDDIR. You can store your keys wherever you would like, but it is best to store them outside of source code. Make sure this variable points to your SMPK that you used while signing your hardware.

Note

The phytec-dev-ca directory becomes available only after the build process has started and the dependencies of the U-Boot recipes are resolved. This can be confusing because keys are typically not part of a dedicated Yocto recipe. Additionally, the current KEY variables point to the phytec-dev-ca directory, which does not exist immediately after checking out the BSP. These keys will become available later, once the dependencies are resolved.

There is also a DISTRO variable. Make sure it is set to ampliphy for now, and run

host:~$ bitbake phytec-headless-image

This will generate a signed image that you can boot flash to an SD card and run on your signed hardware.

Building a Securiphy image

The securiphy image has more security features built in, such as a signed kernel. To build this, you need the MACHINE and BOOTLOADER_TI_K3_MPK_KEY variables set as before, and the DISTRO needs to be set to securiphy. Then you can run

host:~$ bitbake phytec-securiphy-image

This will generate a partup image which can be flashed to the eMMC by following the instructions at Flashing the eMMC.

More about Securiphy

For more information on the securiphy distro and secure boot, see the documentation here: https://www.phytec.eu/en/cdocuments/?doc=D4AwIg