Filter results by

Signing ARTIK Code

Having compiled and loaded pre-signed code, you now need to understand the production code signing process.

ARTIK "s" modules do not accept loading of code unless it has been digitally signed with the correct security signature. During development, the codesigner tool was automatically called by the build scripts to sign with a default key and overwrite the boot images. In production, you need to:

  • Use the KMS portal to sign your images with your unique key
  • Explicitly copy the signed images back so they can be packaged.

Go to the Production KMS article to learn about interacting with the KMS portal. Once you understand how to sign your boot images, return here to complete the process of packaging the final production image.

Preparation

  1. Go to the top folder of your ARTIK710s or ARTIK530s working directory, and set 'WD' to the path value so we can use it below.
    # export WD=`pwd`

  2. Make a subdirectory and export the path.
    # mkdir $WD/build-artik/kms-prebuilt
    # export KPD=$WD/build-artik/kms-prebuilt

You will next be uploading, signing, and downloading the Bootloader Stage 1 and Stage 2 files following the KMS procedure.

For ARTIK 530s 1G modules, use artik533s files.

Packaging Signed Files

  1. From boot-firmwares-artik530s/, upload bl_mon.img to the KMS, sign it, then download the signed image bl_mon.img-signed

  2. From your output directory
    build-artik/output/images/artik530s/$version/$date/
    upload secureos.img and bootloader.img to the KMS, sign them, and download secureos.img-signed and bootloader.img-signed

  3. From your Downloads, copy the signed files into the KMS pre-built directory.
    # cd ~/Downloads
    # cp *-signed ${KPD}/

  4. Copy the Stage 1 images you got by e-mail into ${KPD}.
    Image for booting from SD card:
    cp boot-firmwares-artik530s/loader-sdboot.img ${KPD}/
    Image for booting from eMMC:
    cp boot-firmwares-artik530s/loader-emmcboot.img ${KPD}/

  5. Package the signed files
    # cd $WD/build-artik
    # ./release.sh ā€“c ./config/artik530s_ubuntu.cfg --kms-prebuilt-dir ${KPD} --kms-target-dir [step 2 output dir]

  1. From boot-firmwares-artik533s/, upload bl_mon.img to the KMS, sign it, then download the signed image bl_mon.img-signed

  2. From your output directory
    build-artik/output/images/artik533s/$version/$date/
    upload secureos.img and bootloader.img to the KMS, sign them, and download secureos.img-signed and bootloader.img-signed

  3. From your Downloads, copy the signed files into the KMS pre-built directory.
    # cd ~/Downloads
    # cp *-signed ${KPD}/

  4. Copy the Stage 1 images you got by e-mail into ${KPD}.
    Image for booting from SD card:
    cp boot-firmwares-artik533s/loader-sdboot.img ${KPD}/
    Image for booting from eMMC:
    cp boot-firmwares-artik533s/loader-emmcboot.img ${KPD}/

  5. Package the signed files
    # cd $WD/build-artik
    # ./release.sh ā€“c ./config/artik533s_ubuntu.cfg --kms-prebuilt-dir ${KPD} --kms-target-dir [step 2 output dir]

  1. From boot-firmwares-artik710s/, upload fip-secure.img to the KMS, sign it, then download the signed image fip-secure.img-signed

  2. From your output directory
    build-artik/output/images/artik710s/$version/$date/
    upload fip-nonsecure.img to the KMS, sign it, and download
    fip-nonsecure.img-signed

  3. From your Downloads, copy the signed files into the KMS pre-built directory.
    # cd ~/Downloads
    # cp *-signed ${KPD}/

  4. Copy the Stage 1 images you got by e-mail into ${KPD}.
    Image for booting from SD card:
    cp boot-firmwares-artik710s/bl1-sdboot.img ${KPD}/
    Image for booting from eMMC:
    cp boot-firmwares-artik710s/bl1-emmcboot.img ${KPD}/

  5. Package the signed files
    # cd $WD/build-artik
    # ./release.sh ā€“c ./config/artik710s_ubuntu.cfg --kms-prebuilt-dir ${KPD} --kms-target-dir [step 2 output dir]

You now have a final image that you can burn to an SD card for Flash update in the usual way. If booting is okay and your changes are applied, operation is verified. You can also check the U-Boot build time or version.

If any Stage 1 ā€“ Stage 2 firmware mismatch occurs, booting will fail.

Example

This example uses ARTIK 530s.

First build :

./release.sh -c config/artik530s.cfg -v 1.0 -d 20171115.19 --local-rootfs /opt/rootfs.tar.gz

After following the KMS signing procedure, you package the build like this:

./release.sh -c config/artik530s.cfg -v 1.0 -d 20171115.19 --local-rootfs /opt/rootfs.tar.gz --kms-prebuilt-dir kms-prebuilt --kms-target-dir kms-out output/artik530s/[version]/[date]

You can find packaged images in "output/artik530s/[version]/[date]/signed".


Building without signing. If you are not changing the boot code, you do not need to sign. For example: Run the build_ubuntu.sh script, then Flash-program the image by partition, loading only 'rootfs'.

Last updated on: