> ## Documentation Index > Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt > Use this file to discover all available pages before exploring further. # BeagleY-AI BeagleY-AI This guide outlines the steps to enable **Thistle Verified Boot (TVB)** on a **BeagleY-AI** using an **Infineon OPTIGA™ Trust M** as the hardware root of trust. By the end, your BeagleY-AI will only boot kernels signed by your Thistle Control Center project's key, verified against the public key stored in the Trust M. *** ## Prerequisites * **BeagleY-AI** board with power supply and necessary cables * **Infineon OPTIGA Trust M** secure element (on breakout board) * **I²C wiring** from Trust M to BeagleY-AI: * SDA → GPIO 2 (Physical Pin 3) * SCL → GPIO 3 (Physical Pin 5) * 3.3V Power * GND * **MicroSD card** (8 GB or larger) * **BeagleY-AI OS image** from [BeagleBoard.org](https://beagleboard.org/latest-images) * **Thistle Control Center account** with: * A project * A Linux Kernel Verified Boot key pair * **Host computer** (Linux/macOS) with internet access * *(Optional)* USB UART cable for serial console access *** ## Step 1: Flash the OS 1. Download the [BeagleY-AI image](https://beagleboard.org/latest-images). 2. Flash it to the SD card using `dd`: ```bash theme={"dark"} sudo dd if=beagley-ai-image.img of=/dev/sdX bs=4M status=progress && sync ``` 3. Insert the SD card into the BeagleY-AI and power it on. 4. Log in if prompted (default credentials may vary). *** ## Step 2: Sign the Kernel 1. Mount the boot partition from the SD card: ```bash theme={"dark"} sudo mount /dev/sdX1 /mnt/boot ``` 2. Copy the `Image` file to your computer: ```bash theme={"dark"} cp /mnt/boot/Image ./Image ``` 3. In Thistle Control Center: * Navigate to your project → **Signed Firmware** * Click **+ Signed Firmware Bundle** * Select: * **Hardware**: BeagleY-AI + OPTIGA Trust M * **Firmware Type**: Linux Kernel Verified Boot * Upload `Image` * Click **Create** 4. Download the resulting `kernel-sig` file. *** ## Step 3: Program the Trust M 1. On the BeagleY-AI, download and unzip the Trust M tools: ```bash theme={"dark"} curl -LO https://storage.googleapis.com/thistle-blobs/bbai/trustm.zip unzip trustm.zip cd trustm/bin sudo cp *.so /usr/lib ``` 2. Verify the Trust M: ```bash theme={"dark"} sudo trustm_chipinfo ``` 3. Copy your public key from Thistle Control Center and save it as `project_pubkey.pem`. 4. Convert to Trust M format: ```bash theme={"dark"} openssl ec -pubin -in project_pubkey.pem -outform DER 2>/dev/null \ | xxd -i -s 27 | xxd -r -p > pk ``` 5. Write the public key to slot `0xE0E8`: ```bash theme={"dark"} sudo trustm_data -X -e -w 0xe0e8 -i pk ``` 6. *(Optional)* Lock the slot: ```bash theme={"dark"} sudo trustm_metadata -X -C n -w 0xe0e8 ``` *** ## Step 4: Install Thistle Boot Assets 1. Mount the SD card’s boot partition: ```bash theme={"dark"} sudo mount /dev/sdX1 /mnt/boot cd /mnt/boot ``` 2. Backup existing boot files: ```bash theme={"dark"} mv u-boot.img u-boot.img.orig mv boot.scr boot.scr.orig ``` 3. Download Thistle’s U-Boot and boot script: ```bash theme={"dark"} curl -O https://storage.googleapis.com/thistle-blobs/bbai/u-boot.img curl -O https://storage.googleapis.com/thistle-blobs/bbai/boot.scr ``` 4. Copy the `kernel-sig` file to the boot partition: ```bash theme={"dark"} cp ~/Downloads/kernel-sig ./kernel-sig ``` 5. Sync and unmount: ```bash theme={"dark"} sync sudo umount /mnt/boot ``` *** ## Step 5: Boot and Verify 1. Insert the SD card into the BeagleY-AI and power it on. 2. Use a serial console (115200 baud) to monitor the boot process. 3. Look for messages indicating signature verification via Trust M. 4. If valid, the kernel will boot normally. 5. Log in and confirm the system is running with secure boot enabled. *** ## Conclusion You've successfully enabled Thistle Verified Boot on a BeagleY-AI with the Trust M secure element. Your device will now only boot kernels signed with your project’s private key, enhancing the security of your deployment.