BeagleBone Black Integration
By the end of this guide you will have your BeagleBone Black integrated with Thistle Verified Boot. This integration relies on an Infineon OPTIGA Trust M as the root of trust.
Hardware Integration
Connect your Infineon OPTIGA Trust M on pins 19 and 20 of the BeagleBone Black.
Software Image
We will use a custom image to test out the verified boot functionality. This image is built by our Thistle Yocto Build assistant, and it integrates all the Infineon OPTIGA Trust M tooling.
# flash image on SD card
$ dd if=core-image-minimal-beaglebone-yocto-20230706145208.rootfs.wic of=/dev/sdX bs=4M status=progress
Trust M Public Key
Refer to the Overview guide to learn how to write the Trust M public key.
Kernel Signature
Once the image is flashed on your device, we are ready to sign the kernel image. We can mount the boot partition and fetch the kernel image to sign it. Signing is performed through Thistle Control Center.
Upload your kernel and click on “Create”. Once the kernel image is signed, you can download the signature by clicking on your project, and then TVB kernel signature.
Assets Installation
Finally, we need to copy the U-Boot image and bootscript previously downloaded on the boot partition of the SD card. We will also copy the signature file.
$ cd /mnt/boot
# preserve the original boot.scr and uboot image
$ mv boot.scr boot.scr.orig
$ mv u-boot.img u-boot.img.orig
# install new image and bootscript
$ curl -O https://storage.googleapis.com/thistle-blobs/bbb/boot.scr
$ curl -O https://storage.googleapis.com/thistle-blobs/bbb/u-boot.img
# copy signature on boot partition
$ cp ~/Downloads/kernel-sig .
First Boot
You can now power on the Beagle Bone Black. Start it with the SD-card by pressing the user button and powering the board. Release the button when U-Boot starts.
You can observe the boot sequence on the serial console, observe the verified boot sequence by looking for the log line Reading TrustM at at slot 0xe0e8. Once booted, the login is a and the password is a.