Prerequisites
Check metabuild
Identify the correct images for signing by checking the following files in the in the metabuild.<Metabuild>/<chipset>.LE.X.x/contents.xmlThis file has details about:
- The source path of each image.
- The format of each image (for example, pil-split or mbn).
<Metabuild>/<chipset>.LE.X.x/common/sectoolsv2/<chipset>_security_profile.xmlThis file provides signing-related metadata, including:
--image-idvalues.- A list of images that must be signed by users to ensure device security.
Change SecTools commands for Windows
To use SecTools commands on Windows platform, replace the<Metabuild>/<chipset>.LE.X.x/common/sectoolsv2/ext/Linux/sectools with <Metabuild>/<chipset>.LE.X.x/common/sectoolsv2/ext/Windows/sectools.exe.
Sign the images
Image signing is a security process that involves adding a cryptographic signature to a digital image. This signature serves as a unique identifier, verifying the authenticity, integrity, and origin of the image. Without image signing, there is no assurance of an image’s integrity or trusted origin, leading to potential security breaches and data loss. Follow these steps to sign the images.- You can sign the images using SecTools V2. Different signing methods and secure image functionality are available. For more information see SecTools V2: Secure Image User Guide.
- You can generate the keys and certificates using a local signer. For more information, see Generate local (insecure) root key and certificate.
- To sign a single image, run the following command, where
tz.mbnis used as an example.Note You can replace the values of OEM ID “0x1” and OEM Product ID “0xabcd” according to your requirement.
The following is a sample command for IQ-9075/IQ-9100.
Note Update the image path according to the path specified in the contents.xml file. - Check for all images with the
pil_splitflag in the contents.xml file.Example:
pil_split = "adsp"For images that should be split, use the--pil-splitoption. - For signing the complete metabuild, use the following commands.
For more information, see SecTools V2: Metabuild Secure Image User Guide.Note The SecTools guides are available to licensed users with authorized access.
Generate the signed sec.elf image
Generating a signed sec.elf image involves creating a secure executable and linkable format (ELF) file with a cryptographic signature. Signing this image ensures its authenticity, integrity, and origin. A fuse blower binary is used to permanently disable certain functionalities or components of a device for security reasons. Generating a signed sec.elf image along with a fuse blower binary involves a series of steps to ensure both the integrity of the firmware and the security of the device. To generate fuse blower binary, see SecTools V2: Fuse Blower User Guide.Integrate the sample commands using SecTools
This section provides sample commands only. The following are sample commands for SecTools on Windows. Note- Ensure that the values such as PK hash, OEM ID, and Product ID in the command are in hexadecimal format.
- You can replace the values of OEM ID “0x1” and OEM Product ID “0xabcd” according to your requirement.
-
You can replace the value of
--fuse-pk-hash-0with the SHA384 ofOEM-KEYS/qpsa_rootca.cer.To calculate the correct PK hash value, use the following command:
For more information, see Generate SHA-384 hash for RSA and ECDSA. - Replace the digest generated here from the user Root cert in the sec.elf generation command below.
-
Stage 1: Basic secure boot (image authentication + OEM ID + MODEL ID)
Run the following command:
QCS5430/QCS6490IQ-9075/IQ-9100IQ-8275/IQ-8300IQ-615
-
Stage 2: Complete secure boot (basic secure boot + debug disable + anti-rollback + write permission disable):
Run the following commands.
QCS5430/QCS6490IQ-9075/IQ-9100IQ-8275/IQ-8300IQ-615
Note The SecTools guides are available to licensed users with authorized access. Important TheOEM_enable_bootup_from_a_b_partitionconfiguration is optional and located intrustzone_images/ssg/securemsm/trustzone/qsee/mink/oem/config/<chipset>/oem_config.xml. Its default value is 0. When set to 1 anddevcfgrecompiled, it enables rollback safety. After the boot confirmation using SMC from UEFI or client applications, it allows TrustZone to update image rollback versions.
Use unified image encryption
Unified image encryption (UIE) is a standardized image‑encryption scheme. It uses a hierarchical L1-L2-L3 AES key ladder, L1 is the root key which is fused in Hardware. L2 is the next level key wrapped with the L1 key and L3 is the key used to encrypt the image. It’s wrapped with the L2 key. For command-line usage related to UIE encryption, see SecTools V2: Secure Image User Guide. UIE encryption isn’t supported for IQ-9075/IQ-9100 and IQ-8275/IQ-8300.Note The SecTools guides are available to licensed users with authorized access.
Generate your own key for encryption
- The user UIE keys are the standard AES 128 keys and can be generated using the OpenSSL tool.
Use the command:
Where:openssl enc: Invokes the OpenSSL encryption tool.-aes-128-cbc: Specifies the encryption algorithm — AES with a 128-bit key in the cipher block chaining (CBC) mode.-k secret: Provides the password (secret) from which the key and initialization vector (IV) are derived.-P: Prints the derived key and IV instead of performing an encryption or decryption.-md sha1: Specifies the message digest algorithm (sha1) used in the key derivation function (KDF).
salt=E2A1F3C4D5B6A798key=5F4DCC3B5AA765D61D8327DEB882CF99iv =AABBCCDDEEFF00112233445566778899
- Copy the key to a file to make your key.
echo -n "5F4DCC3B5AA765D61D8327DEB882CF99" | xxd -r -p > l1_key.key
Generate a UIE sec.elf file
- Use the command to generate a UIE sec.elf file.
- Update the security profile XML appropriate to the chipset.
- Use the signing mode as LOCAL or PLUGIN according to the requirement.
- Update the encryption key according to your key.
Encrypt the binaries
To encrypt the binaries with the test keys, use the following arguments along with the signing command.To encrypt the binaries with the local keys, use the following arguments along with the signing command.
Flash the images
Flashing images involves writing an entire image, including partitions, file systems, and data, onto a storage device. This process helps keep the functionality, security, and performance of the device. Follow these steps to flash the images:- See Set QFPROM fuses for the list of fuses to configure.
- Replace all binaries with the signed non-Linux binaries generated in Sign the images, including
prog_firehose_ddr.elf. To replace the PIL images, replace the existing PIL images with their corresponding signed versions generated earlier.- Extract the
<chipset_name.LE.x.x>/common/build/ufs/bin/<chipset_name>_fw.zipfile. - Replace the PIL split binaries and the
.mdtfiles generated in the signed output into the extracted directory<chipset_name.LE.x.x>/common/build/ufs/bin/<chipset_name>_fw/lib/firmware/qcom/<chipset_name>. - Zip the
<chipset_name.LE.x.x>/common/build/ufs/bin/<chipset_name>_fwdirectory with<chipset_name>_fw.zipname. - Recompile the Yocto build.
- Extract the
- To flash all the signed binaries to the device, see Qualcomm Linux Build Guide.
- After generating the signed images and
sec.elf, enable secure boot:- Flash the signed images first without
sec.elfand ensure that the device boots successfully. - Flash sec.elf by updating the correct
rawprogramX.xmlfile.Flash sec.elf by updating the correct
rawprogramX.xmlfile. Find the rawprogramX.xml file with label=“secdata” entry and update the filename in that entry withsec.elf. For example, in QCM6490:<program start_sector="315239" size_in_KB="28.0" physical_partition_number="4" partofsingleimage="false" file_sector_offset="0" num_partition_sectors="7" readbackverify="false" filename="sec.elf" sparse="false" start_byte_hex="0x4cf67000" SECTOR_SIZE_IN_BYTES="4096" label="secdata"/> - Flash the signed images and
sec.elfusing the flash procedure from Qualcomm Linux Build Guide. - Flash the image using PCAT.
- Verify that the secure boot is enabled using Bring up → Verified secure boot. Important With the secure boot enabled, the device expects images to be flashed using a secure programming method called validated image programming (VIP). To proceed, see Perform VIP flashing
- Flash the signed images first without
Next steps
- To ensure device security by allowing only digitally signed images to be programmed, see Perform VIP flashing.
- To enforce strict access controls, see Enable SELinux.

