How to Create and Merge Asymmetric Boot Images

Create A chain:

cd $NV_WORKSPACE/drive-foundation
tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_a -D --chain A --asymmetric --fskp-bct-path $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/br_bct_BR_sigheader.bct -m

Create B chain:

  • Using a privacy key for all images

    # Specify the key
$PWD/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_b -D --chain B --asymmetric --encryption_key <Path to encryption key file> -p <Path_to_signing_key_file>
  • Using a unique privacy key per SoC 
    # Do not specify the key
$PWD/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_b -D --chain B --asymmetric --encryption_key <Path to encryption key file>
cd $NV_WORKSPACE
# Merge chains
${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${NV_WORKSPACE}/<merge-chain> --asymmetric --merge-chains A=<chain_a> B=<chain_b>

    For example,

    ${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn/create_bsp_images.py -b p3710-10-a04 -r 1 -g ${NV_WORKSPACE}/p3710-10-a04-merge -D --asymmetric --merge-chains A=${NV_WORKSPACE}/drive-foundation/p3710-10-a04/chain_a B=${NV_WORKSPACE}/drive-foundation-safety/p3710-10-a04/chain_b

  • Additional steps for using a unique key per SoC

    1. Sign the base package with the new unique key.

      ${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn_t23x_py/post_processing_tool.py --chip 0x23 --images ${NV_WORKSPACE}/p3710-10-a04-merge/642-63710-0010-000_TS4/flash-images/ --headers-output-dir ${NV_WORKSPACE}/p3710-10-a04-headers --asymmetric --signing-key ~/keys/edopenssl_v3_0.pem --debug

    2. Generate a new fuse block for the unique key (updated fskp_fuse.xml). For more information, see Create Fskp Firmware.

      ./fskp_fuseburn.py -c 0x23 -f fskp_fuse.xml -k fskp_t23x.key -g $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/ -i 63 -B <board> -b

    3. Copy the FSKP blob.

      cp $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/blob_fskp_updated_aligned_sigheader_encrypt.signed ${NV_WORKSPACE}/p3710-10-a04-headers
If the binaries are generated and flashed on different machines, then the following two generated files need to be copied from the machine on which they were generated to the machine on which they are to be flashed into the directory ${PDK_TOP}/drive-foundation/firmware/bin/t234/fskpboot/:
  1. br_bct_BR_sigheader.bct: This is the BootROM BCT to trigger the FSKP binary to run
  2. blob_fskp_updated_aligned_sigheader_encrypt.signed: This is the FSKP binary and fuses