trh tool simplifies both local development and CI integration by taking existing build outputs and signing them with Thistle Cloud Signing service to produce fully signed boot artifacts that are ready to be flashed to target devices.
The input build must be a signed Yocto build. The signing key used during the Yocto build does not matter — it will be replaced by Thistle’s cloud-managed signing key during the resigning process, so feel free to use the default test key set.
Prerequisites
- A Grinn Genio 700 SOM board
- A signed build for the platform (see yocto instructions)
- The latest
trhCLI tool (v1.9.1 and above) download here - Your Thistle Project Access Token
THISTLE_TOKENfrom the Thistle Control Center
To get started using the Grinn Genio 700 SOM, refer to the official Grinn documentation for flashing and initial setup.
Signing the boot images
Thetrh factory-sign mediatek command takes your build directory, and resigns all the secure boot artifacts through Thistle’s cloud signing service. The resigned build will be written on the output directory.
mt8390is the target platform for the Grinn Genio 700 SOM<build-dir>is the path to your Yocto build output directory<signed-output-dir>is where the signed artifacts will be written
Example
Flashing the signed images
Before flashing the image, the board needs to be fused with the public key hash used for signing the image. The public key hash will always be displayed when starting the signing tool. On the example above the key-hash to use isbd11f97cfc.... Follow up the MediaTek documentation for fusing the key hash.