# Generate signed sec.elf image

Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-signed-sec-elf-image.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-signed-sec-elf-image.html)

This information provides sample commands only. For generating fuse blower binary,
            see [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf).

The following are sample commands for Sectools on Windows:

Note: You can replace the values highlighted in **bold** as per
            your requirement.

- Stage 1: Basic secure boot (image authentication + OEMID + MODEL ID)
    Run the
                    following
                command:

        <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profileCopy to clipboard

        <meta>/common/sectoolsv2/<chipset>_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elfCopy to clipboard
- Stage 2: Complete secure boot (basic secure boot + debug disable + anti-rollback +
                write permission disable):
    Run the following
                command:

        <meta>/common/sectoolsv2/ext/<platform>/sectools.exe fuse-blower --security-profile <meta>/common/sectoolsv2/<chipset>_security_profile.xml --fuse-pk-hash-0=0xf953644308944bb811ca0ec2a736a17fe38509941ce7f55860130857813c8378e93359b70dfd874c270dca08a53bd99f --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=0x00 --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/Copy to clipboard

        qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elfCopy to clipboard

**Parent Topic:** [Enable secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-secure-boot.html)

Last Published: Oct 14, 2024

[Previous Topic
Sign images](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/sign-the-images.md) [Next Topic
Flash images](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/flash-the-images.md)