# Sign and flash the images
## Sign the images
Image signing is a security process that involves adding a cryptographic signature to a digital image. This signature serves as a unique identifier, verifying the authenticity, integrity, and origin of the image. Without image signing, there is no assurance of an image’s integrity or trusted origin, leading to potential security breaches and data loss.
Follow these steps to sign the images.
1. You can sign the images using SecTools V2. Different signing methods and secure image functionality are available. For more information see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/doc/80-NM248-12/topic/secure-image-usage.html).
2. You can generate the keys and certificates using a local signer. For more information, see [Generate local (insecure) root key and certificate](https://docs.qualcomm.com/doc/80-70020-11/topic/generate-keys-and-certificates.html#section-generate-local-root-key-certificate-lable).
3. To sign a single image, run the following command, where `tz.mbn` is used as an example.
>
>
> Note
>
>
> You can replace the values of oem-id “**0x1**” and oem-product-id “**0xabcd**” according to your requirement.
/common/sectoolsv2/ext/linux/sectools secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile /common/sectoolsv2/_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
Copy to clipboard
The following is a sample command for IQ-9075/IQ-9100.
>
>
> /common/sectoolsv2/ext/linux/sectools secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile /common/sectoolsv2/lemans_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
> Copy to clipboard
4. Check for images with the `pil_split` flag in the contents.xml file.
>
>
> Example: `pil_split = "adsp"`
>
>
> For images that should be split, use the `--pil-split` option.
5. For signing the complete metabuild, use the following commands.
>
>
> ./sectools metabuild-secure-image --image-finder /common/build/app/image_finder.py --sign --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --chipset KODIAK --outdir meta_signing_output/ --storage ufs
> Copy to clipboard
For more information, see [SecTools V2: Metabuild Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-17/resource/80-NM248-17_REV_AB_SecTools_V2__Metabuild_Secure_Image_User_Guide.pdf).
Note
The *SecTools* guides are available to licensed users with authorized access.
## Generate the signed sec.elf image
Generating a signed sec.elf image involves creating a secure executable and linkable format (ELF) file with a cryptographic signature. Signing this image ensures its authenticity, integrity, and origin.
A fuse blower binary is used to permanently disable certain functionalities or components of a device for security reasons. Generating a signed sec.elf image along with a fuse blower binary involves a series of steps to ensure both the integrity of the firmware and the security of the device. To generate fuse blower binary, see [SecTools V2: Fuse Blower User Guide](https://docs.qualcomm.com/bundle/80-NM248-9/resource/80-NM248-9_REV_AB_SecTools_V2__Fuse_Blower_User_Guide.pdf).
## Integrate the sample commands using SecTools
This section provides sample commands only. The following are sample commands for SecTools on Windows.
Note
- You can replace the values of oem-id “**0x1**” and oem-product-id “**0xabcd**” according to your requirement.
- You can replace the value of `--fuse-pk-hash-0` with the SHA384 of `OEM-KEYS/qpsa_rootca.cer`.
>
>
> To calculate the correct PK\_HASH value, use the following command:
>
>
>
> >
> >
> > >
> > >
> > > openssl dgst -sha384 qpsa_rootca.cer
> > > Copy to clipboard
> >
> >
> >
> > For more information, see [Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/doc/80-70020-11/topic/generate-keys-and-certificates.html#section-generate-sha-384-hash-rsa-ecdsa-lable).
- Replace the digest generated here from the user Root cert in the sec.elf generation command below.
- Stage 1: Basic secure boot (image authentication + OEMID + MODEL ID)
Run the following command:
>
>
> Tab QCS5430/QCS6490
> Tab IQ-9075/IQ-9100
> Tab IQ-8275/IQ-8300
> Tab IQ-615
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/kodiak_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --generate --security-profile /common/sectoolsv2/monaco_security_profile.xml --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x1 --fuse-oem-product-id=0xabcd --fuse-pk-hash-0= --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile basic_sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/talos_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --generate --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile basic_sec.elf
> Copy to clipboard
- Stage 2: Complete secure boot (basic secure boot + debug disable + anti-rollback + write permission disable):
Run the following commands.
>
>
> Tab QCS5430/QCS6490
> Tab IQ-9075/IQ-9100
> Tab IQ-8275/IQ-8300
> Tab IQ-615
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/kodiak_security_profile. xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=RANDOM --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable
> --fuse-write-permissions-write-disable
> --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --security-profile /common/sectoolsv2/lemans_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-eku-enforcement-en --fuse-anti-rollback-feature-en=0xF --fuse-sec-key-derivation-key=RANDOM --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-fec-enables-write-disable --fuse-write-permissions-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower --generate --security-profile /common/sectoolsv2/monaco_security_profile.xml --fuse-secondary-key-derivation-key-read-disable --fuse-read-permissions-write-disable --fuse-write-permissions-write-disable --fuse-fec-enables-write-disable --fuse-public-key-hash-0-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-oem-secure-boot-fec-enable --fuse-secondary-key-derivation-key-fec-enable --fuse-wdog-en --fuse-eku-enforcement-en --fuse-oem-configuration-write-disable --fuse-oem-secure-boot-write-disable --fuse-anti-rollback-feature-en=0xf --fuse-shared-qsee-spiden-disable --fuse-shared-qsee-spniden-disable --fuse-shared-mss-dbgen-disable --fuse-shared-mss-niden-disable --fuse-shared-cp-dbgen-disable --fuse-shared-cp-niden-disable --fuse-shared-ns-dbgen-disable --fuse-shared-ns-niden-disable --fuse-apps-dbgen-disable --fuse-apps-niden-disable --fuse-shared-misc-debug-disable --fuse-usb-pipo-disable --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-hw-id=0x1 --fuse-oem-product-id=0xabcd --fuse-pk-hash-0= --fuse-sec-key-derivation-key=RANDOM --sign --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile sec.elf
> Copy to clipboard
>
> /common/sectoolsv2/ext/Linux/sectools fuse-blower -security-profile /common/sectoolsv2/talos_security_profile.xml --fuse-pk-hash-0= --fuse-oem-secure-boot1-pk-hash-in-fuse --fuse-oem-secure-boot1-auth-en --fuse-oem-secure-boot2-pk-hash-in-fuse --fuse-oem-secure-boot2-auth-en --fuse-oem-secure-boot3-pk-hash-in-fuse --fuse-oem-secure-boot3-auth-en --fuse-oem-secure-boot-fec-enable --fuse-wdog-en --fuse-apps-apb-dfd-disable --fuse-dcc-debug-disable --fuse-debug-bus-disable --fuse-aoss-aop-dfd-disable --fuse-eud-disable --fuse-dap-deviceen-disable --fuse-apps-dbgen-disable --fuse-dap-dbgen-disable --fuse-lpass-turing-dbgen-disable --fuse-wcss-dbgen-disable --fuse-aoss-aop-dbgen-disable --fuse-cam-icp-dbgen-disable --fuse-ssc-dbgen-disable --fuse-venus-0-dbgen-disable --fuse-a5x-isdb-dbgen-disable --fuse-mss-dbgen-disable --fuse-apps-niden-disable --fuse-dap-niden-disable --fuse-lpass-turing-niden-disable --fuse-wcss-niden-disable --fuse-aoss-aop-niden-disable --fuse-cam-icp-niden-disable --fuse-ssc-niden-disable --fuse-mss-niden-disable --fuse-apps-spniden-disable --fuse-dap-spniden-disable --fuse-apps-spiden-disable --fuse-dap-spiden-disable --fuse-llcc-dsrw-disable --fuse-read-permissions-write-disable --fuse-oem-configuration-write-disable --fuse-secondary-key-derivation-key-read-disable --fuse-public-key-hash-0-write-disable --fuse-oem-secure-boot-write-disable --fuse-secondary-key-derivation-key-write-disable --fuse-secondary-key-derivation-key-fec-enable --fuse-sec-key-derivation-key=RANDOM --fuse-fec-enables-write-disable --generate --sign --fuse-oem-hw-id=0x0001 --fuse-oem-product-id=0xabcd --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --oem-id=0x1 --oem-product-id=0xabcd --outfile sec.elf
> Copy to clipboard
>
>
> Note
>
>
> The *SecTools* guides are available to licensed users with authorized access.
## Encrypt the unified image encryption
Unified image encryption (UIE) is designed to protect image integrity by encrypting image files, thereby preventing unauthorized tampering. This mechanism ensures that only authorized devices can decrypt and access the original images.
For command-line usage related to UIE encryption, see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/doc/80-NM248-12/topic/secure-image-usage.html).
UIE encryption isn’t supported for IQ-9075/IQ-9100 and IQ-8275/IQ-8300.
>
>
> Note
>
>
> The *SecTools* guides are available to licensed users with authorized access.
**Generate your own key for encryption**
1. The user UIE keys are the standard AES 128 keys and can be generated using the OpenSSL tool.
>
>
> Use the command:
>
>
>
> >
> >
> > openssl enc -aes-128-cbc -k -P -md sha1
> > Copy to clipboard
>
>
>
> Where:
>
> - `openssl enc`: Invokes the OpenSSL encryption tool.
> - `-aes-128-cbc`: Specifies the encryption algorithm — AES with a 128-bit key in the cipher block chaining (CBC) mode.
> - `-k secret`: Provides the password (secret) from which the key and initialization vector (IV) are derived.
> - `-P`: Prints the derived key and IV instead of performing an encryption or decryption.
> - `-md sha1`: Specifies the message digest algorithm (sha1) used in the key derivation function (KDF).
>
>
>
> For example:
>
>
>
> >
> >
> > openssl enc -aes-128-cbc -k "secret_passphrase" -P -md sha1
> > Copy to clipboard
>
>
> - `salt=E2A1F3C4D5B6A798`
> - `key=5F4DCC3B5AA765D61D8327DEB882CF99`
> - `iv =AABBCCDDEEFF00112233445566778899`
2. Copy the key to a file to make your key.
>
>
> `echo "5F4DCC3B5AA765D61D8327DEB882CF99" > l1_key.key`
**Generate a UIE sec.elf file**
1. Use the command to generate a UIE sec.elf file.
./sectools fuse-blower --security-profile _security_profile.xml --outfile uie_sec.elf --fuse-image-encryption-enable --generate --sign --signing-mode TEST --fuse-oem-image-encryption-key=0x5F4DCC3B5AA765D61D8327DEB882CF99 --fuse-oem-image-encryption-key-fec-enable
Copy to clipboard
2. Update the security profile XML appropriate to the chipset.
3. Use the signing mode as LOCAL or PLUGIN according to the requirement.
4. Update the encryption key according to your key.
Once the UIE sec.elf file is generated, you can flash it onto the non-secure device. After flashing the UIE sec.elf, you should then flash the secure boot enablement sec.elf along with the other fuses.
**Encrypt the binaries**
To encrypt the binaries with the test keys, use the following arguments along with the signing command.
>
>
> --encrypt --encryption-mode TEST
> Copy to clipboard
To encrypt the binaries with the local keys, use the following arguments along with the signing command.
>
>
> --encrypt --encryption-mode LOCAL --l1-key l1_key.key
> Copy to clipboard
## Flash the images
Flashing images involves writing an entire image, including partitions, file systems, and data, onto a storage device. This process helps keep the functionality, security, and performance of the device.
Follow these steps to flash the images:
1. See [Set QFPROM fuses](https://docs.qualcomm.com/doc/80-70020-11/topic/appendix-fuse-configurations.html#appendix-fuse-configurations) for the list of fuses to configure.
2. Replace all binaries with the signed non-Linux binaries generated in [Sign the images](https://docs.qualcomm.com/doc/80-70020-11/topic/sign-and-flash-images.html#section-sign-image-lable), including `prog_firehose_ddr.elf`.
To replace the PIL images, replace the existing PIL images with their corresponding signed versions generated earlier.
>
>
> - Extract the `/common/build/ufs/bin/_fw.zip` file.
> - Replace the PIL split binaries and the `.mdt` files generated in the signed output into the extrcted directory `/common/build/ufs/bin/_fw/lib/firmware/qcom/`.
> - Zip the `/common/build/ufs/bin/_fw` directory with `_fw.zip` name.
> - Recompile the Yocto build.
3. To flash all the signed binaries to the device, see [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/build_frm_source_qsc_cli.html).
4. After generating the signed images and `sec.elf`, enable secure
boot:
1. Flash the signed images first without `sec.elf` and ensure that the device boots successfully.
2. Flash sec.elf by updating the `rawprogram4.xml` file as:
>
>
> ``
2. Flash the signed images and `sec.elf` using the flash procedure from [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/flash_images.html).
3. Flash the image using PCAT.
4. Verify that the secure boot is enabled using [Bring up → Verified secure boot](https://docs.qualcomm.com/doc/80-70020-11/topic/bring-up.html#section-bringup-verify-secure-boot-label).
5. When the secure boot is enabled, the device expects images to be flashed using a secure programming method called validated image programming (VIP). In this release, you can proceed with flashing the images on the secure device by disabling VIP using the following workaround programmer (`prog_firehose_ddr.elf`) image at: `<>/BOOT.MXF.1.0.c1/boot_images/boot/QcomPkg/Library/DevPrgLib/devprg_transfer.c`
6. Set the `vip->state` to `VIP_DISABLED` irrespective of the secure boot enable check in the following function:
int devprg_transfer_init(void)
{
int secboot, result;
struct vip_data *vip = &vip_data;
devprg_init_vip_state();
secboot = devprg_is_secure_boot_enabled();
// if (secboot == 0) /*comment this to set vip state to VIP_DISABLED
vip->state = VIP_DISABLED;
result = devprg_transport_init();
return result;
}
Copy to clipboard
7. To rebuild `prog_firehose_ddr.elf`, see [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/build_addn_info.html).
8. If any of the PIL signed images aren’t flashed using PCAT, follow these steps to push the PIL images manually using SCP:
push adsp, cdsp, modem, wlan, ipa pil split binaries
Copy to clipboard
For instructions, see [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/how_to.html#use-ssh).
1. Copy and replace the PIL split bins and the `.mdt` files generated in the signed output to the `</common/build/ufs/bin/QCM6490_fw/lib/firmware/qcom/qcm6490/` directory.
2. Connect to the device as the root using SSH. For instructions, see [Qualcomm Linux Build Guide](https://docs.qualcomm.com/bundle/publicresource/topics/80-70020-254/how_to.html#use-ssh).
Run the following command:
mount -o rw,remount /
scp /common/build/ufs/bin/QCM6490_fw/lib/firmware/qcom/qcm6490/. root@:/lib/firmware/qcom/qcm6490/
Push gfx (a660_zap) pil split binaries, a660_zap.mdt and a660_zap.mbn from signed outout
scp /. root@:/lib/firmware/
Push signed Venus binary:
scp vpu20_1v.mbn root@:/lib/firmware/qcom/vpu-2.0/
reboot
Copy to clipboard
9. To check for PIL loading success, check for the following logs in dmesg:
>
>
> [ 7.597009] remoteproc remoteproc0: Booting fw image qcom/qcs6490/modem.mdt, size 6052
> [ 8.095883] remoteproc remoteproc0: remote processor 4080000.remoteproc is now up
> [ 5.938938] remoteproc remoteproc1: Booting fw image qcom/qcs6490/wpss.mdt, size 4612
> [ 6.088524] remoteproc remoteproc1: remote processor 8a00000.remoteproc is now up
> [ 5.951047] remoteproc remoteproc2: Booting fw image qcom/qcs6490/adsp.mdt, size 6852
> [ 6.107310] remoteproc remoteproc2: remote processor 3000000.remoteproc is now up
> [ 5.977966] remoteproc remoteproc3: Booting fw image qcom/qcs6490/cdsp.mdt, size 5252
> [ 6.135802] remoteproc remoteproc3: remote processor a300000.remoteproc is now up
> Copy to clipboard
## Next steps
- To enforce strict access controls, see [Enable SELinux](https://docs.qualcomm.com/doc/80-70020-11/topic/enable-selinux.html#enable-selinux).
- To ensure that only the verified and trusted applications are loaded during the startup process, see [Enable UEFI secure boot](https://docs.qualcomm.com/doc/80-70020-11/topic/enable-uefi-secure-boot.html#enable-uefi-secure-boot).
Last Published: Apr 14, 2026
[Previous Topic
Generate keys and certificates](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/generate-keys-and-certificates.md) [Next Topic
Enable SELinux](https://docs.qualcomm.com/bundle/publicresource/80-70020-11/topics/enable-selinux.md)