Getting the firmware

Building from source

Trusted Substrate is part of TRS, same steps apply to build from source as documented at Initial setup.

Building meta-ts from source

By default make meta-ts will build firmware for all supported boards.

Warning

Since UEFI secure boot is enabled by default, boards that embed the UEFI keys in the firmware binary will use the predefined Linaro certificates. Those boards will only be allowed to boot images signed by the afforementioned Linaro certificates.

Building with your own certificates if you want to generate your own

Secure boot limitations for hardware limitations

Compiling for different boards is straightforward. To build only one board firmware, pass TARGET to make with board name.

make TARGET=<BOARD> meta-ts

replace <BOARD> with:

  • qemuarm64-secureboot

  • synquacer

  • stm32mp157c-dk2

  • stm32mp157c-ev1

  • rockpi4b

  • rpi4

  • zynqmp-kria-starter

The build output is in build/tmp_<BOARD>/deploy/images/

Hint

The build directory contains a lot of artifacts. Look at Installing firmware for the per board files you need

Downloading board binaries

We do produce daily builds for all the support boards here

Building with your own certificates

Warning

The default nightly builds we provide for devices that embed the keys are using a private key that is available at meta-trustedsubstrate/uefi-certificates/. Anyone could sign and boot an EFI binary! This is a mandatory step for a production firmware!

You need to generate the following keys:

  • PK - Platform Key (Top-level key)

  • KEK - Key Exchange Keys (Keys used to sign Signatures Database and Forbidden Signatures Database updates)

  • db - Signature Database (Contains keys and/or hashes of allowed EFI binaries)

  • dbx - Forbidden Signature Database (Contains keys and/or hashes of forbidden EFI binaries)

Refer to Create certificates and keys for generating certificates and create tar.gz archive with the .esl files

tar -czf uefi_certs.tgz db.esl dbx.esl KEK.esl PK.esl

Set up an environment variable UEFI_CERT_FILE: "<path>/uefi_certs.tgz" in your local.conf or in ci/base.yml and recompile your firmware.

Note

This is only needed if the variables are built-in into the firmware binary. You don’t need this if your board has an RPMB and OP-TEE support.