This guide enables Thistle Verified Boot (TVB) on the Advantech RSB‑3810 running the default Ubuntu image from Advantech. TVB validates a signed Linux kernel at boot via a U‑Boot based chain. On MediaTek Genio 1200 platforms, the vendor Ubuntu image boots with U‑Boot providing UEFI services (reported as “EFI v2.90 by Das U‑Boot” in system logs), then chainloads shim/GRUB from the EFI System Partition before Linux. You can intercept U‑Boot early over serial (115200 8N1) and execute a TVB boot script. If your particular image truly lacks U‑Boot, follow the fallback section to add it.
Hardware details: RSB‑3810 features the MediaTek Genio 1200 (MT8395) SoC with:
  • Boot chain: U-Boot (with UEFI services) → shim → GRUB → Linux kernel
  • Default OS: Ubuntu 22.04 LTS (Canonical certified)
  • eMMC partition layout includes separate EFI system partition (/boot/efi)
  • Serial console: Available via debug header or micro-USB (115200 8N1)
TVB relies on U‑Boot to validate kernel signatures at boot time. The board’s U-Boot implementation provides UEFI services while maintaining access to U-Boot commands via serial console.

Board setup (vendor docs)

Use the vendor Ubuntu image (typically Ubuntu 22.04 LTS) or Ubuntu/Debian from the BSP. Ensure you have serial access (115200 8N1) via the debug UART pins or micro-USB console, and/or SSH access via Ethernet.

Boot chain prerequisites

First check if the system is booting with EFI/GRUB and whether U‑Boot is available. 
# On the device
test -d /sys/firmware/efi && echo "EFI present" || echo "EFI not present"
command -v efibootmgr >/dev/null 2>&1 && sudo efibootmgr -v | head -n 5 || true
If efibootmgr shows Ubuntu shim/GRUB entries and kernel logs show “EFI v2.90 by Das U‑Boot”, the platform firmware is U‑Boot with UEFI services. Use serial console (115200 8N1) to interrupt U‑Boot at power‑on by pressing any key when you see “Hit any key to stop autoboot”. The window is typically 2-3 seconds. If you miss it, extend bootdelay once you do get in, or create a boot.scr as shown below. Only if your image truly lacks U‑Boot should you add it. If you do not plan to add U‑Boot, you can still use Thistle OTA updates (file or A/B) without TVB.

How Genio boots (what you should expect)

  • Boot ROM → TF‑A/OP‑TEE → U‑Boot (built with UEFI support) → shim → GRUB → Linux
  • Evidence on a running system:
    • journalctl -b | egrep -i 'U-Boot|EFI|GRUB' shows lines like “efi: EFI v2.90 by Das U‑Boot” and GRUB services
    • dmesg | grep -i efi will show EFI-related boot messages
    • efibootmgr -v shows entries under \EFI\ubuntu\ (shim/grub). The ESP is mounted at /boot/efi.

If your image truly lacks U‑Boot (fallback)

If your board boots pure EFI/GRUB without U‑Boot firmware, add U‑Boot before proceeding with TVB. There are two common approaches:

Option A: Chainload U‑Boot as an EFI application (non‑destructive)

  1. Obtain the vendor U‑Boot (SystemReady) package for RSB‑3810 from Advantech’s firmware portal (access may require a product barcode): https://www.advantech.com/id-id/support/details/firmware?id=1-2M3QODI.
  2. On the device, mount the EFI system partition and back it up:
sudo mkdir -p /boot/efi && sudo mount | grep efi || true
sudo tar -C /boot/efi -czf ~/efi-backup.tgz .
  1. Copy the U‑Boot EFI binary to a new path and create an EFI boot entry:
sudo mkdir -p /boot/efi/EFI/Advantech
sudo cp u-boot.efi /boot/efi/EFI/Advantech/u-boot.efi
sudo efibootmgr --create --label "U-Boot" --loader '\\EFI\\Advantech\\u-boot.efi' --timeout 2
sudo efibootmgr -v | head -n 10
  1. Reboot and confirm you see a U‑Boot prompt on the serial console (press a key to stop autoboot). You can remove or reorder this entry later with efibootmgr.

Option B: Vendor flashing/update method

If the package provides firmware images and an installer, follow Advantech’s instructions from the same portal to replace the bootloader with U‑Boot. This may involve a recovery/update process; ensure power/serial are stable and back up EFI first.

Prerequisites

  • RSB‑3810 board with Linux OS
  • U‑Boot‑based bootloader capable of loading a boot script and kernel
  • Access to Thistle Control Center with TVB signing enabled
  • Optional secure element (e.g., OPTIGA Trust M) can be connected via I²C for enhanced security, but is not required for basic TVB operation
  • The RSB-3810 exposes I²C interfaces through the UIO40-Express expansion connector

Verify U‑Boot capabilities

On the serial console, confirm: 
U-Boot> help fatload
U-Boot> help ext4load
U-Boot> help source
U-Boot> printenv bootcmd
If these are present, TVB using a boot.scr is supported. Ensure a FAT boot partition is mounted at /boot or /boot/efi at boot.

Extract and Prepare Kernel

  1. Mount the boot partition and copy the kernel image to the workstation:
# Connect to the board
ssh ubuntu@<board-ip> 'mount | grep -E "/boot|efi" || true'

# The RSB-3810 Ubuntu image typically uses vmlinuz
scp ubuntu@<board-ip>:/boot/vmlinuz ./kernel || scp ubuntu@<board-ip>:/boot/Image ./kernel
  1. In Thistle Control Center, create a Signed Firmware bundle for TVB and upload kernel. Download the resulting signature file as kernel-sig.

Download helper binaries

  • TVB signing is performed server‑side by Thistle; no helper binary is required. You only need the signed kernel-sig from the Control Center. For OTA (separate), see the OTA guide for TRH/TUC downloads.

Deploy TVB Assets

  1. Copy kernel-sig back to the board’s boot partition:
scp kernel-sig ubuntu@<board-ip>:/tmp/
ssh ubuntu@<board-ip> 'sudo cp /tmp/kernel-sig /boot/kernel-sig && sudo chmod 644 /boot/kernel-sig && sync'
  1. Ensure your U‑Boot environment or boot script loads kernel, kernel-sig, and verifies the signature using the embedded public key provided by Thistle in the boot assets. If you use the Thistle U‑Boot script, place the boot script (boot.scr) and configured binaries into /boot (or /boot/efi on this Ubuntu image).
For reference boot script structure, see Thistle U‑Boot and the raw script used for A/B slot management: raw.scr. For RSB‑3810 specifically (aarch64, FAT ESP at /boot/efi), the prebuilt dual‑boot variant to start from is typically boot_dualboot_vfat_aarch64.scr (adjust paths and commands for your kernel layout). TVB uses ECDSA‑P256 signatures and checks the signature before jumping to the kernel.

Provision the TVB Public Key

In Thistle Control Center, navigate to Settings → Access → Signed Firmware and copy the TVB public key. On the board, store it in the expected location per your U‑Boot integration (commonly compiled into the bootloader or placed as a binary blob read by the script). If compiled‑in, rebuild and update U‑Boot once.

Boot Verification

Reboot the board and check the serial console for messages indicating signature verification success. If verification fails, ensure the kernel and signature pair match and that the public key matches the project.

Notes

  • The RSB-3810 Ubuntu image typically names the kernel vmlinuz in /boot. Adjust paths in your boot script accordingly.
  • Default login credentials for Advantech Ubuntu images are typically ubuntu/ubuntu (must be changed on first login).
  • For boards without a custom U‑Boot, integrate the Thistle boot script and rebuild U‑Boot once with the public key embedded.
  1. Build the TVB boot script on the workstation (example):
# Create boot.cmd with the TVB flow
cat > boot.cmd << 'EOF'
# Thistle TVB boot script skeleton for RSB-3810
# Prefer distro-boot variables so this works across storage types
# Load kernel and signature from the EFI system partition
fatload ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} /vmlinuz || \
  ext4load ${devtype} ${devnum}:${distro_bootpart} ${kernel_addr_r} /vmlinuz
fatload ${devtype} ${devnum}:${distro_bootpart} ${ramdisk_addr_r} /kernel-sig || \
  ext4load ${devtype} ${devnum}:${distro_bootpart} ${ramdisk_addr_r} /kernel-sig

# Perform TVB verification using your integrated verification routine
# (see Thistle documentation). If verification passes, boot the kernel:
booti ${kernel_addr_r} - ${fdt_addr_r}
EOF

# Compile to U‑Boot script image
mkimage -A arm64 -O linux -T script -d boot.cmd boot.scr
scp boot.scr ubuntu@<board-ip>:/tmp/
ssh ubuntu@<board-ip> 'sudo mv /tmp/boot.scr /boot/boot.scr && sync'
  1. Connect via serial console (115200 8N1) and interrupt U-Boot at startup. At the U‑Boot prompt, configure the boot script priority:
=> setenv bootdelay 3
=> setenv boot_scripts 'boot.scr'
=> saveenv
  1. Reboot. U‑Boot should execute /boot/boot.scr first, perform TVB signature verification, and only chainload shim/GRUB if scripted to do so.
Many distro U‑Boot builds already scan for boot.scr on the boot partition. The steps above make it explicit and lengthen the window to interrupt boot if needed. On RSB-3810, the boot partition is typically on eMMC device mmc0 and mounted at /boot/efi.For a refresher on building boot.scr from boot.cmd with mkimage, see AMD’s PetaLinux reference on U‑Boot boot scripts: “Configuring U‑Boot Boot Script (boot.scr)”.