# Sign images and copy (.auth) key/signed files to EFI partition
Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html](https://docs.qualcomm.com/doc/80-70015-11/topic/sign-images-and-copy-auth-key-signed-files-to-efi-partition.html)
The EFI system partition consists of EFI, loader, and dtb directories with
information relevant to the EFI when using the systemd-boot.
The procedure provides instructions to:
- Sign various images.
- Copy `(.auth)` key and signed files to EFI partition
directory.
- Signed and executable images such as the `bootaa64.efi` file
(systemd-boot) are placed in the
/EFI/BOOT/ directory and the
`uki.efi` file (Linux) image is placed in the
`/EFI/Linux/`.
In addition to validating signed images, systemd-bootis used to enroll keys.
- UEFI secure boot keys are placed in a specific directory in
/keys for key enrollment. The systemd-boot
uses these keys and provisions them in the RPMB or UEFI variable store during
UEFI boot time services.
- You can configure the wait time (in seconds) in the systemd-boot loader
configuration. Kernel loading is delayed during the wait time, allowing you to
review and select available options in the systemd-boot menu.
Device tree files are stored in the /dtb directory. These files are
used by UEFI during runtime, and the device tree files are initialized. While signing,
`.sig` files are created and placed in the same directory as these
files are non- PE images.
| EFI system partition (efi.bin) | EFI system partition (efi.bin) | EFI system partition (efi.bin) |
| --- | --- | --- |
| /EFI | /Loader | /dtb |
| /Boot - bootaa64.efi | loader.conf |
Chipset DTB file.
Signature file for each DTB file.
|
| /Linux - uki.efi | /keys -/authkeys
PK.auth
KEK.auth
db.auth |
Chipset DTB file.
Signature file for each DTB file.
|
| | | |
Follow these steps to place the signed images and keys in an EFI partition on a Linux
host machine:
1. Locate the `efi.bin` file path in the `contents.xml`,
file to obtain the `efi.bin` file from the meta.
2. Mount the `efi.bin` file into the ``
directory and create an `efimountedbin` directory within the
`` directory.
3. Mount the `efi.bin`
file:
sudo mount efi.bin efimountedbinCopy to clipboard
cd efimountedbinCopy to clipboard
4. Create an authkeys directory within the
<workspace>/efimountedbin/loader/keys directory to
enroll keys.
5. Select and copy the `.auth` files (`PK.auth`,
`KEK.auth`, and `db.auth`) to the authkeys
directory.
sudo cp /efimountedbin/loader/keys/authkeys/Copy to clipboard
6. Sign the `bootaa64.efi, uki.efi and dtb` image files with the keys
and copy to the respective directories in the efimountedbindirectory.
1. Sign `efi` images:
The sbsign tool is designed for signing
EFI boot images, such as `bootaa64.efior UKI.efi` that
follow EFI specifications. This tool, which is used for UEFI secure boot
signing is available for download and use on Linux systems. It is
important to note that sbsign can only sign PE images with a
`.efi` extension.
1. Copy the `bootaa64.efi` file from the
efimountedbin directory
/EFI/BOOT and the
`uki.efi` file from the
/EFI/Linux directory to the
images directory on your Linux
machine.
2. Sign the
images:
cd /imagesCopy to clipboard
sudo sbsign --key /keys/db.key --cert /keys/db.crt bootaa64.efi --output /bootaa64.efiCopy to clipboard
sudo sbsign --key /keys/db.key --cert /keys/db.crt uki.efi --output /uki.efiCopy to clipboard
2. Sign the `dtb` image:
All images authenticated by UEFI
secure boot are regular APIs and typically in the PE format.
The signature header and size are appended to the existing PE
header, and the signature is appended at the end of the signed
file.
However, when images in non- PE formats require
UEFI secure boot authentication, the absence of the PE header
and its magic number to recognize the image format fail. As a result, it
is not possible to use standard tools and paths for image
verification.
Currently, among the list of images that UEFI secure
boot verifies, only the dtb files are in non- PE
format images. As an alternative to the sbsign tool, you can use the
`OpenSSL cms` command to generate signature files for
signing images in non- PE format.
Follow these steps for
signing non-EFI images:
1. To sign the dtb file and signature file, run the
following
command:
openssl cms -sign -inkey < .key file > -signer < .crt file > -binary -in --out < Output .dtb.sig file > -outform DERCopy to clipboard
2. To sign the image, run the following
command:
cd /imagesCopy to clipboard
sudo openssl cms -sign -inkey /keys/db.key -signer /keys/db.crt -binary -in qcm6490-idp.dtb --out qcm6490-idp.sig -outform DERCopy to clipboard
7. Copy the signed `uki` and `bootaa64` images back to
their respective directory (/EFI/BOOT and /EFI/Linux) within
the efimountedbin directory.
8. Copy the signed `qcm6490-idp.sig` file to the
/dtb directory of the efimountedbin
directory.
9. Configure the wait time in systemd-boot:
1. Open and edit the `loader.conf` file at
/loader/loader.conf with sudo
access:
sudo vi loader.confCopy to clipboard
2. Add the line `timeout 2` to set the boot menu timeout and
save the file.
10. To unmount the EFI binary to retrieve the latest `efi.bin` file,
execute the
command:
sudo umount efimountedbinCopy to clipboard
11. Securely place the signed images and keys in the EFI partition on target.
Bring
the device into the Fastboot mode and flash the latest `efi.bin`
file with the fastboot
command:
fastboot flash efi Copy to clipboard
**Parent Topic:** [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-uefi-secure-boot.html)
Last Published: Oct 14, 2024
[Previous Topic
Generate key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/generate-key-and-certificate.md) [Next Topic
Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/enable-uefi-secure-boot-from-systemd-boot-menu.md)