> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# BeagleBone Black

<img src="https://mintcdn.com/thistletechnologies/MrBm0BC7xpW_ySdM/images/ti/BBB/BBB.png?fit=max&auto=format&n=MrBm0BC7xpW_ySdM&q=85&s=1a1138a2e0f63f2386d981872521195e" alt="BeagleBone Black" width="768" height="662" data-path="images/ti/BBB/BBB.png" />

This guide outlines the steps to enable **Thistle Verified Boot (TVB)** on a **BeagleBone Black** using an **Infineon OPTIGA™ Trust M** as the hardware root of trust. By the end, your BeagleBone Black will only boot kernels signed by your Thistle Control Center project's key, verified against the public key stored in the Trust M.

## Prerequisites

* **BeagleBone Black** board with power supply and necessary cables
* **Infineon OPTIGA Trust M** secure element (on breakout board)
* **I²C wiring** from Trust M to BeagleBone Black:
  * SDA → Pin 19
  * SCL → Pin 20
  * 3.3V Power
  * GND
* **MicroSD card** (8 GB or larger)
* **Thistle Yocto image**: [Download link](https://storage.googleapis.com/thistle-blobs/bbb/core-image-minimal-beaglebone-yocto-20230706145208.rootfs.wic)
* **Thistle Control Center account** with:
  * A project
  * A Linux Kernel Verified Boot key pair
* **Host computer** (Linux/macOS) with internet access
* *(Optional)* USB UART cable for serial console access

***

## Step 1: Flash the OS

1. Download the [Thistle Yocto image](https://storage.googleapis.com/thistle-blobs/bbb/core-image-minimal-beaglebone-yocto-20230706145208.rootfs.wic).

2. Flash it to the SD card using `dd`:

   ```bash theme={"dark"}
   sudo dd if=core-image-minimal-beaglebone-yocto-20230706145208.rootfs.wic of=/dev/sdX bs=4M status=progress && sync
   ```

3. Insert the SD card into the BeagleBone Black and power it on.

4. Log in if prompted (default credentials may vary).

***

## Step 2: Sign the Kernel

1. Mount the boot partition from the SD card:

   ```bash theme={"dark"}
   sudo mount /dev/sdX1 /mnt/boot
   ```

2. Copy the `Image` file to your computer:

   ```bash theme={"dark"}
   cp /mnt/boot/Image ./Image
   ```

3. In Thistle Control Center:
   * Navigate to your project → **Signed Firmware**
   * Click **+ Signed Firmware Bundle**
   * Select:
     * **Hardware**: BeagleBone Black + OPTIGA Trust M
     * **Firmware Type**: Linux Kernel Verified Boot
     * Upload `Image`
   * Click **Create**

4. Download the resulting `kernel-sig` file.

***

## Step 3: Program the Trust M

1. On the BeagleBone Black, the necessary Trust M tools are included in the Thistle Yocto image.

2. Verify the Trust M:

   ```bash theme={"dark"}
   sudo trustm_chipinfo
   ```

3. Copy your public key from Thistle Control Center and save it as `project_pubkey.pem`.

4. Convert to Trust M format:

   ```bash theme={"dark"}
   openssl ec -pubin -in project_pubkey.pem -outform DER 2>/dev/null \
     | xxd -i -s 27 | xxd -r -p > pk
   ```

5. Write the public key to slot `0xE0E8`:

   ```bash theme={"dark"}
   sudo trustm_data -X -e -w 0xe0e8 -i pk
   ```

6. *(Optional)* Lock the slot:

   ```bash theme={"dark"}
   sudo trustm_metadata -X -C n -w 0xe0e8
   ```

***

## Step 4: Install Thistle Boot Assets

1. Mount the SD card’s boot partition:

   ```bash theme={"dark"}
   sudo mount /dev/sdX1 /mnt/boot
   cd /mnt/boot
   ```

2. Backup existing boot files:

   ```bash theme={"dark"}
   mv boot.scr boot.scr.orig
   mv u-boot.img u-boot.img.orig
   ```

3. Download Thistle’s U-Boot and boot script:

   ```bash theme={"dark"}
   curl -O https://storage.googleapis.com/thistle-blobs/bbb/boot.scr
   curl -O https://storage.googleapis.com/thistle-blobs/bbb/u-boot.img
   ```

4. Copy the `kernel-sig` file to the boot partition:

   ```bash theme={"dark"}
   cp ~/Downloads/kernel-sig ./kernel-sig
   ```

5. Sync and unmount:

   ```bash theme={"dark"}
   sync
   sudo umount /mnt/boot
   ```

***

## Step 5: Boot and Verify

1. Insert the SD card into the BeagleBone Black.

2. Press and hold the **USER** button while powering on the board to boot from the SD card.

3. Release the button when U-Boot starts.

4. Use a serial console (115200 baud) to monitor the boot process.

5. Look for messages indicating signature verification via Trust M, such as:

   ```
   Reading TrustM at slot 0xe0e8
   ```

6. If valid, the kernel will boot normally.

7. Log in and confirm the system is running with secure boot enabled.

***

## Conclusion

You've successfully enabled Thistle Verified Boot on a BeagleBone Black with the Trust M secure element. Your device will now only boot kernels signed with your project’s private key, enhancing the security of your deployment.

***