# Sign images and copy (.auth) key/signed files to EFI partition
The EFI system partition consists of EFI, loader, and ostree with information relevant to EFI when using systemd-boot. The DTB partition consists of dtb directories.
The EFI system partition holds essential files for booting the system and managing updates, while the DTB partition contains hardware configuration information. This section provides instructions to:
>
>
> - Sign various images.
> - Copy `(.auth)` key and signed files to EFI partition and DTB partition directories.
> - Signed and executable images such as the `bootaa64.efi` file (systemd-boot) are placed in the `efimountedbin/EFI/BOOT/` directory and the `vmlinuz.x.x.xx` file (Linux) image is placed in the `efimountedbin/ostree/poky-xxx/vmlinuz-x.x.xx` directory.
The systemd-boot validates the signed images and is also used to enroll the following:
>
>
> - UEFI secure boot keys are placed in a specific directory in `/keys` for key enrollment. The systemd-boot uses these keys and provisions them in the RPMB or UEFI variable store during UEFI boot time services.
> - You can configure the wait time (in seconds) in the systemd-boot loader configuration. Kernel loading is delayed during the wait time, allowing you to review and select available options in the systemd-boot menu.
> - Device tree files are stored in the `dtbmountedbin/dtb` directory. These files are used by UEFI during runtime, and the device tree files are initialized. While signing, `.sig` files are created and placed in the same directory as these files are non- PE images.
> .. container:: nohighlight
>
>
>
> >
> >
> > Table : EFI system partition (efi.bin)
> >
> >
> > | `/EFI` | `/Loader` | `/ostree` |
> > | --- | --- | --- |
> > | `/Boot/bootaa64.efi` | `loader.conf` | `poky-xxx/vmlinuz-x.x.xx` |
> > | | `/keys/authkeys/db.auth`
`/keys/authkeys/PK.auth` |
## Place signed images and keys in EFI partition
Follow these steps to place the signed images and keys in an EFI partition on a Linux host machine.
1. Locate the `efi.bin` and `dtb.bin` file paths in the `contents.xml`, file to
obtain the `efi.bin` and dtb.bin` files from the meta.
2. Mount the `efi.bin` file into the `` directory and create an `efimountedbin` directory within the `` directory.
3. Mount the `dtb.bin` file into the <workspace> directory and create a `dtbmountedbin` directory within the <workspace> directory.
4. Mount the `efi.bin` file:
sudo mount efi.bin efimountedbin
Copy to clipboard
cd efimountedbin
Copy to clipboard
5. Mount the `dtb.bin` file:
sudo mount dtb.bin dtbmountedbin
Copy to clipboard
cd dtbmountedbin
Copy to clipboard
6. Create an authkeys directory within the `/efimountedbin/loader/keys` directory to enroll keys.
7. Select and copy the `.auth` files (`PK.auth`, `KEK.auth`, and `db.auth`) to the authkeys directory.
sudo cp /efimountedbin/loader/keys/authkeys/
Copy to clipboard
8. Create an `authkeys` directory within the `/dtbmountedbin/loader/keys directory` to enroll keys.
9. Select and copy the `.auth files` (PK.auth, KEK.auth, and dB.auth) to the authkeys directory in `dtbmountedbin`.
sudo cp /dtbmountedbin/loader/keys/authkeys/
Copy to clipboard
10. Sign the `bootaa64.efi, uki.efi and dtb`, `vmlinuz-x.x.xx`, and `combined-dtb.dtb` image files with the keys and copy to the respective directories in the `efimountedbin`
directory.
1. Sign `efi` images:
The sbsign tool is designed for signing EFI boot images, such as `bootaa64.efior UKI.efi` that follow EFI specifications. This tool, which is used for UEFI secure boot signing is available for download and use on Linux systems. It’s important to note that
sbsign can only sign PE images with a `.efi` extension.
1. Copy the `bootaa64.efi` file from the `/efimountedbin` directory `/EFI/BOOT` and the `vmlinuz-x.x.xx` file from the `/ostree/poky-xxx/vmlinuz.x.x.xx ` directory to the :file:`images` directory on your Linux machine.
2. Sign the images:
>
>
> cd /images
> Copy to clipboard
>
>
> sudo sbsign --key /keys/db.key --cert /keys/db.crt bootaa64.efi --output /bootaa64.efi
> Copy to clipboard
>
>
> sudo sbsign --key /keys/db.key --cert /keys/db.crt vmlinuz.x.x.xx --output /vmlinuz.x.x.xx
> Copy to clipboard
2. Sign the `dtb` image:
All images authenticated by UEFI secure boot are regular APIs and typically in the PE format. The signature header and size are appended to the existing PE header, and the signature is appended at the end of the signed file.
However, when images in non- PE formats require UEFI secure boot authentication, the absence of the PE header and its magic number to recognize the image format fail. As a result, it’s not possible to use standard tools and paths for image verification.
Currently, among the list of images that UEFI secure boot verifies, only the dtb files are in non- PE format images. As an alternative to the sbsign tool, you can use the `OpenSSL cms` command to generate signature files for signing images in non- PE format.
Follow these steps for signing non-EFI images:
1. To sign the dtb file and signature file, run the following command:
>
>
> openssl cms -sign -inkey < .key file > -signer < .crt file > -binary -in –out < Output .dtb.sig file > -outform DER
> Copy to clipboard
2. To sign the image, run the following command:
>
>
> cd /images
> Copy to clipboard
>
>
> sudo openssl cms -sign -inkey /keys/db.key -signer /keys/db.crt -binary -in combined-dtb.dtb --out combined-dtb.sig -outform DER
> Copy to clipboard
11. Copy the signed `combined-dtb.sig`, `vmlinuz.x.x.xx`, and `bootaa64.efi` images back to their respective directories `(dtbmountedbin/, efimountedbin/ostree/poky-xxx/, and efimountedbin/EFI/BOOT/)`.
12. Configure the wait time in systemd-boot:
1. Open and edit the `loader.conf` file at `/loader/loader.conf` with sudo access:
>
>
> sudo vi loader.conf
> Copy to clipboard
2. Add the line `timeout 2` to set the boot menu timeout and save the file.
13. To unmount the EFI binary to retrieve the latest `efi.bin` file, run the command:
>
>
> sudo umount efimountedbin
> Copy to clipboard
14. To unmount the DTB binary to retrieve the latest `dtb.bin` file, run the command:
>
>
> sudo umount dtbmountedbin
> Copy to clipboard
15. Securely place the signed images and keys in the EFI partition on target.
>
>
> Bring the device into the Fastboot mode and flash the latest `efi.bin` file with the fastboot command:
>
>
>
> >
> >
> > fastboot flash efi
> >
> > fastboot flash dtb_a
> > Copy to clipboard
For more information, see [quic/host-signing-tool](https://github.com/quic/host-signing-tool).
## Next steps
- To ensure that the secure boot settings are correctly applied and maintained through the systemd-boot menu, see [Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/doc/80-70018-11/topic/enable-uefi-secure-boot-from-systemd-boot-menu.html#enable-uefi-secure-boot-from-systemd-boot-menu).
- If no new keys or certificates are added or modified, and if no UEFI secure boot authentication is needed for the existing images, then see [Hash unsigned images and update dB for image authentication](https://docs.qualcomm.com/doc/80-70018-11/topic/hash-unsigned-images-and-update-db-for-image-authentication.html#hash-unsigned-images-and-update-db-for-image-authentication).
Last Published: Apr 10, 2025
[Previous Topic
Generate key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-key-and-certificate.md) [Next Topic
Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/enable-uefi-secure-boot-from-systemd-boot-menu.md)