# Sign images and copy (.Auth) key/signed files to EFI partition
Source: [https://docs.qualcomm.com/doc/80-70014-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html](https://docs.qualcomm.com/doc/80-70014-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html)
The EFI system partition consists of EFI, loader, and dtb directories with
information relevant to the EFI when using the systemd-boot.
The procedure provides instructions to:
- Sign various images
- Copy `(.auth)` key and signed files to EFI partition
directory
- Signed and executable images such as the `bootaa64.efi` file
(systemd-boot) are placed in the \EFI\BOOT\ directory
and the `uki.efi` file (Linux) image is placed in the
`\EFI\Linux\`.
In addition to validating signed images, systemd-boot is used to enroll keys.
- UEFI secure boot keys are placed in a specific folder in
/keys for key enrollment. The systemd-boot uses these
keys and provisions them in the RPMB or UEFI variable store during UEFI boot
time services.
- You can configure the wait time (in seconds) in the systemd-boot loader
configuration. Kernel loading is delayed during the wait time, allowing you to
review and select available options in the systemd-boot menu.
Device tree files are stored in the /dtb folder. These files are
used by UEFI during runtime, and the device tree files are initialized. While signing,
`.sig` files are created and placed in the same folder as these files
are non-PE images.
| EFI system partition (efi.bin) | EFI system partition (efi.bin) | EFI system partition (efi.bin) |
| --- | --- | --- |
| /EFI | /Loader | /dtb |
| /Boot - bootaa64.efi | loader.conf |
Chipset DTB file.
Signature file for each DTB file.
|
| /Linux - uki.efi | /keys -/authkeys
PK.auth
KEK.auth
db.auth |
Chipset DTB file.
Signature file for each DTB file.
|
| | | |
Follow these steps to place the signed images and keys in an EFI partition on a Linux
host machine:
1. Locate the `efi.bin` file path in the `contents.xml`,
file to obtain the `efi.bin` file from the meta.
2. Mount the `efi.bin` file into the
``directory and create an
`efimountedbin` folder within the``
directory.
3. Mount the `efi.bin`
file:
sudo mount efi.bin efimountedbinCopy to clipboard
cd efimountedbinCopy to clipboard
4. Create an authkeys folder within the
<workspace>/efimountedbin/loader/keys directory to
enroll keys.
5. Select and copy the `.auth` files (`PK.auth`,
`KEK.auth`, and `db.auth`) to the authkeys
folder.
sudo cp /efimountedbin/loader/keys/authkeys/Copy to clipboard
6. Sign the `bootaa64.efi, uki.efi and dtb` image files with the keys
and copy to the respective folders in the efimountedbindirectory.
1. Sign `efi` images:
The sbsign tool is designed for signing
EFI boot images, such as `bootaa64.efior UKI.efi`, that
follow EFI specifications. This tool, which is specifically used for
UEFI secure boot signing, is available for download and use on Linux
systems. It is important to note that sbsign can only sign PE images
with an`.efi` extension.
1. Copy the `bootaa64.efi` file from the
efimountedbin folder
/EFI/BOOT and the
`uki.efi` file from the
/EFI/Linux folder to the
images folder on your Linux
machine.
2. Sign the
images:
cd /imagesCopy to clipboard
sudo sbsign --key /keys/db.key --cert /keys/db.crt bootaa64.efi --output /bootaa64.efiCopy to clipboard
sudo sbsign --key /keys/db.key --cert /keys/db.crt uki.efi --output /uki.efiCopy to clipboard
2. Sign `dtb` image:
All images authenticated by UEFI secure
boot are regular APIs and typically in the PE format. The signature
header and size are appended to the existing PE header, and signature is
appended at the end of the signed file.
However, when images in
non-PE formats require UEFI secure boot authentication, the absence of
the PE header and its magic number to recognize the image format fail.
As a result, it is not possible to use standard tools and paths for
image verification.
Currently, among the list of images that UEFI
secure boot verifies, only the dtb files are in non-PE format images. As
an alternative to sbsign tool, you can use the OpenSSL cms command to
generate signature files for signing images in non-PE
format.
Follow these steps for signing non-EFI images:
1. To sign the dtb file and signature file, run the following
command:
openssl cms -sign -inkey < .key file > -signer < .crt file > -binary -in --out < Output .dtb.sig file > -outform DERCopy to clipboard
2. To sign the image, run the following
command:
cd /imagesCopy to clipboard
sudo openssl cms -sign -inkey /keys/db.key -signer /keys/db.crt -binary -in qcm6490-idp.dtb --out qcm6490-idp.sig -outform DERCopy to clipboard
7. Copy the signed `uki` and `bootaa64` images back to
their respective folder locations (/EFI/BOOT and /EFI/Linux)
within the efimountedbin directory.
8. Copy the signed `qcm6490-idp.sig` file to the
/dtb folder of the efimountedbin
directory.
9. Configure the wait time in systemd-boot:
1. Open and edit the `loader.conf` file at
/loader/loader.conf with sudo
access:
sudo vi loader.confCopy to clipboard
2. Add the line `timeout 2` to set the boot menu timeout and
save the file.
10. To unmount the EFI binary to retrieve the latest `efi.bin` file,
execute the
command:
sudo umount efimountedbinCopy to clipboard
11. Securely place the signed images and keys in the EFI partition on target.
Bring
the device into the Fastboot mode and flash the latest `efi.bin`
file with the fastboot
command:
fastboot flash efi Copy to clipboard
**Parent Topic:** [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70014-11/topic/enable-uefi-secure-boot.html)
Last Published: Aug 06, 2024
[Previous Topic
Generate key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/generate-key-and-certificate.md) [Next Topic
Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/enable-uefi-secure-boot-from-systemd-boot-menu.md)