coreboot vboot signing
Verified Boot is a method of verifying that the firmware compents haven't been tampered with. It uses cryptographic signatures to determine whether the firmware comes from trusted source. This document covers the procedure for generating vboot keys and configuring the coreboot build system to sign the binaries with the generated keys.
Navigate to the coreboot tree.
Start by updating git submodules:
git submodule update --init --checkout
Build and install vboot utilities:
cd 3rdparty/vboot make sudo make install
Navigate to the directory containing vboot key generation scripts:
Generate the scripts with the following command:
The keys will be created in the directory
Adding keys to the coreboot config
In the root of the coreboot tree, execute the following command:
Verified Boot (vboot) ->
Vboot keys and enter the
paths to the keys in the appropriate fields.
nconfig by pressing
Esc repeatedly and pressing
Enter when prompted
to save the configuration.
Now, rebuild coreboot with this config to generate images signed with the chosen vboot keys.