How to Create and Merge Asymmetric Boot Images

Create A chain:

cd $NV_WORKSPACE/drive-foundation
tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_a -D --chain A --asymmetric --fskp-bct-path $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/br_bct_BR_sigheader.bct -m

Create B chain:

  • Using a privacy key for all images

    # Specify the key
$PWD/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_b -D --chain B --asymmetric --encryption_key <Path to encryption key file> -p <Path_to_signing_key_file>
  • Using a unique privacy key per SoC 
    # Do not specify the key
$PWD/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${PWD}/<board>/chain_b -D --chain B --asymmetric --encryption_key <Path to encryption key file>
cd $NV_WORKSPACE
# Merge chains
${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn/create_bsp_images.py -b <board> -r 1 -g ${NV_WORKSPACE}/<merge-chain> --asymmetric --merge-chains A=<chain_a> B=<chain_b>

    For example,

    ${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn/create_bsp_images.py -b p3710-10-a04 -r 1 -g ${NV_WORKSPACE}/p3710-10-a04-merge -D --asymmetric --merge-chains A=${NV_WORKSPACE}/drive-foundation/p3710-10-a04/chain_a B=${NV_WORKSPACE}/drive-foundation-safety/p3710-10-a04/chain_b

  • Additional steps for using a unique key per SoC

    1. Sign the base package with the new unique key.

      ${NV_WORKSPACE}/drive-foundation/tools/flashtools/bootburn_t23x_py/post_processing_tool.py --chip 0x23 --images ${NV_WORKSPACE}/p3710-10-a04-merge/642-63710-0010-000_TS4/flash-images/ --headers-output-dir ${NV_WORKSPACE}/p3710-10-a04-headers --asymmetric --signing-key ~/keys/edopenssl_v3_0.pem --debug

    2. Generate a new fuse block for the unique key (updated fskp_fuse.xml). For more information, see Create Fskp Firmware.

      ./fskp_fuseburn.py -c 0x23 -f fskp_fuse.xml -k fskp_t23x.key -g $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/ -i 63 -B <board> -b

    3. Copy the FSKP blob.

      cp $NV_WORKSPACE/drive-foundation/firmware/bin/t234/fskpboot/blob_fskp_updated_aligned_sigheader_encrypt.signed ${NV_WORKSPACE}/p3710-10-a04-headers