BeagleY-AI Integration

By the end of this guide you will have your BeagleY-AI integrated with Thistle Verified Boot. This integration relies on an Infineon OPTIGA Trust M as the root of trust.

Hardware Integration

Connect your Infineon OPTIGA Trust M on pins 2 and 3 of the BeagleY-AI.

Software Image

We will use the BeagleY-AI image provided by BeagleBone. You can download the image on this link. After flashing the image on the board, you can proceed with the integration.

Kernel Signature

Once the image is flashed on your device, we are ready to sign the kernel image. The kernel is located on the boot partition of the SD card (Image). Signing is performed through Thistle Control Center.

Upload your kernel and click on “Create”. Once the kernel image is signed, you can download the signature by clicking on your project, then TVB kernel signature.

Trust M Public Key

For this platform, we provide the Trust M tooling as a separate archive. You can download the archive here. Extract the archive and follow the instructions to write the public key.

$ unzip trustm.zip
$ cd bin
$ sudo cp *.so /usr/lib
$ sudo trustm_chipinfo
Read Chip Info [0xE0C2]: Success.
[...]

Refer to the Overview guide to learn how to write the Trust M public key.

Assets Installation

Finally, we need to copy a custom U-Boot image and bootscript on the boot partition of the SD card. We will also copy the signature file.

# mount boot partition and reach the boot directory
$ cd /mnt/boot

# preserve the original uboot image
$ mv u-boot.img u-boot.img.orig

# install new image and bootscript
$ curl -O https://storage.googleapis.com/thistle-blobs/bbai/u-boot.img
$ curl -O https://storage.googleapis.com/thistle-blobs/bbai/boot.scr

# copy signature on boot partition
$ cp ~/Downloads/kernel-sig /mnt/boot/kernel-sig

First Boot

You can now unmount the SD card and put it back on the BeagleY-AI board. Power on the board, and you now should see the verified boot sequence starting on the serial port.