# Enable UEFI secure boot UEFI secure boot enhances the security and reliability of the system by ensuring that only the verified and trusted software loads during startup. [Secure boot](https://docs.qualcomm.com/doc/80-80022-11/topic/features.html#section-secure-boot-features) and [UEFI secure boot](https://docs.qualcomm.com/doc/80-80022-11/topic/features.html#section-uefi-secure-boot-features) are distinct security features and cover different images for authentication. UEFI secure Boot can be enabled either on a secure boot device or, for testing purposes, on a non-secure boot device. ## Prerequisites ### Host requirements 1. Install [OpenSSL 0.9.80 June 2010 (or later version)](https://openssl-library.org/source/) on the Linux host computer. 2. Install the following [efitools](https://pkgs.org/download/efitools): > > > - cert-to-efi-sig-list: converts OpenSSL certificates to EFI signature lists > - sign-efi-sig-list: signs the EFI signature list > - hash-efi-sig-list: creates a hash signature list entry from a binary ### Provision replay protected memory block on device Replay protected memory block (RPMB) provisioning is mandatory for UEFI secure boot enablement. For more information, see [RPMB](https://docs.qualcomm.com/doc/80-80022-11/topic/features.html#section-rpmb-features). ## Configure a UEFI secure boot to generate keys and certificates You can setup an initial UEFI secure boot configuration and convert the keys and certificates into a format that UEFI can understand. See the workflow to understand the off-target preparation and the on-device execution. ![../../../../../../_images/uefi-secure-boot-prep-updated.png](data:image/png;base64,UklGRi4jAABXRUJQVlA4TCIjAAAvvIN0EPfjIJIkReqFuwcB71/N22GY2e3peRLhMJJkVdl7/+MQAvknQUjunOye40aSFKl295jZf5vOgfszDM90VzNoJElR5QydfytnAZ8ZEgAAf7aZ2YiUGiELyRQMGJ20oo4OhqIDeiy6EI1EmCr+B0Ej8RP5AwgACoAOYE7gKcAE6ya0ZQCjZAeA4R9AL9adAH4Afx1dKr2M1QbrGto00jZesc7l8SPR8xuxRFCxBD8rXRfojv+F2BkuRBihIoGpmMBS002QphvR+F9lg/+UhWPhWHjmzuE4s19v1M3L5pC1dVasY/9MohHVzCao7NPDFL1+iUQskW1qL1l+sETWxJT3/EYzm/vbY4nbywmq28uR6Hi6ySb7Ghid4koiieZngeNFopkNS5TaMt6xhER2PpGK4rZtI2n/sZO2Sa93REwAHoytNJEnFOzMuIhx0X8zL5WCoiCsDPGaHFXJUbXMSz6DCEguc2YOXEZJRHBpGHw0BzCp5CrbgYm1SKNJK/ilHIJKFasinSUOFPDEsLrTZWmhi7O9vbblSLJrW6ucDBLOrbXWWjl8SwrfyhEIOPh1a61F7UTC4VvL2j/ebczp7pG5WLUrPixL29PSrKYlbUb0XxYkyUHdjCqKUYy9e5yEQDyq8ktd2/a0jXTBn3QhZ9J2mMqU9pplHmYuDvPJJ9In2VHl77NnKtvrRB7LliP6T4ltJEmSRN9JbGUdiHCPPssru/L70Vp++Lt/8uZavvMHfuIjKD/+XfpNX/PZT91Uy2fKN37HT/8I/PmZb831Bls+/VX94ZXvSk/1Nlu++lP/L8/6mXqrLel75bu/qd5s+Zz+hH7N7ZaqP6qfveGSflDrDZdv+cR/vgZy5izdQgopV1Uo3t+7dZVs8Sd/+z9fe5gLt+5RblX97tcepihHnnDxzfkPj/LyHulW1df+fn45SHov9aSLr/2zfw44rP4/2sUf/ttB3mSeeGFPwYxKTzxf+MODfPtGPfEPg46KfKvqE/8x/jP+M/4z/jMr+vk/epXSU3b8XkqPfHnT2uIozv7ZxHnMevfE2nQs7fPEMxnFxH1VFDbFrHz3ypW7XOvzK0dmIdZ+DkM1cXPIXlmbY1dhmSiOnMI+Q68/Tff/8qnP37mOL+k1jAFPtX78eMfdCMl13KeUwjWptT4O3nU38v0rgcRJ+e/grJBc+ReabHT+fv/GadOn9Abm9N6J/bxPyYcKMwYy/vjXKb1xAp40BZgkPjm9flX4svJ5Ten1B6qL+El4MgKzz6uJuvT9uRSptWM0knT/qeoO5lN9SS9/ndizwofX6e7JkZ8gJSR5mPkFSVpr+GvMkyr3qeLpg1H4ISUn8y5jejmeMD8h9e5evXmBDHYGIHXvniGTP+9OPDuPCWp8uQ0pfdiPBynP2LvfMFO/cA/T/A1QIQoIz6DiBfWm9ESU1kB0ET8sz/TKwbJDLbFI0wumhTKpwZ0yMHlIcoXPp5TrU9K6Qq/kQn1KkHIORqGzke9XMTS96l+jun28prmamEjR6A12eDjScHyr4jUZo2bNo5fq0187/qXW+zU/wt3KU7oLec0N2CC8zk7hyl1wmaJOdHjz6v5lVXkP54f1nwR0MX5w3ALcRcP5/sCYAeTWjrFozRIye8bUuGP+EhjCV57dYf/r9FJfp+fqkzhQlU9POYGQOwenMKSk6TWXXi8uT56SZ8BmB2Ten6Z7qJjvLnELzgzKNNNDf1fdYf88aMNUlPSnPC/VJYgTwCl8w+pFW6CL8cPxedCW2fv+GbfuUOoF8oMklodMAT2+1g+rgCcYIzLg09MqRp5dKtWKl+qcQpgHfODSC2b6QWQXf+205pReVvLBSHMs+peUXsjGfp7dPB4BnRW5T1B0AxCGfD5hEbwRA8bc/I9A/PCgp8JW6KSvPNnYRpMgniRJ/Xy6f157v4OZ+wkR9WGFUQiJdc+mF2ZtrRvwBlbhDAi9yd4N16dXdlWEAxWF0SspcRA/m1UQbfB5Ew4obMUMBffJJR6tgDc8LwRU8KYGjte7cfY2K4Q+0C7uk2DKvRDY5pekudbsMs/vaH4hSeqEMc3qBN4ROD84S3c5eU+aAfh8IIbt5jdw6zlXnIS/AKjKpye865FBKqPQjfWrYi69oHn9VhDycg/cEwO0mQGdzSFhH34VtFVV5rQdcPMZ0iywJ4MPhGc09Pk3VOnuKqeUXjZ2QyY+Vxh27/YE2eIrQFPy82Q3dV9wCjX96SpMmPQiE3kh6bfy7Pbjd3sHpWbBxzL38S93cDZI/indO0gG/vVrpy28YCIGZVBN6ZnJyg+a0t0bp/cF8rG+rJI9nRFQPyDghV1fzj0+1WeFxzJ3UD/v052QkwEe8noPKbK1vvxmzQeFdUtG4ZoswU3mAkkvbn05r2pFXdK8UPILSHsLEAHxBk7Wzztn/i87hb66ew/xgQi0eyLL+zcRNPbip2tz4/0c8Sf+Y/xn/Gf8Z/xn/Hd8uc4M8qM7dORZVapb+An9saS255fRv6o2Okq79BMBolDZQUuA2FBaTQFtV2G9lgIxp7KfSMAprCWBxvjP+M/4z/jva2dfXhrVebq+2tOvXYOh0d9wxP7ajq6JzFdg1ItZ7lRDP78j4FvVbtxxcLaP6Hw4NT6xP6TF4yaZKKTF/sGZ5W1J7uNkoWvzdXuqY7gCyX31IAyPh9J4RzVbZDLr99n3ennb4jWZLXrepLqDOAyjcBaPzHsSIkBWylGKfVQYxO0bmoftqQcSID/UCP64wNKh83cDZHH7td32QbwKV84O/GKzx3sz89JIgnNCUBnNrPaqAxzjoDnPqn0xr6pasnqzqVOtBXRVVQ9waqKqCsOoMzV2BoltT5JzlTljvoBr58ir197AKJ1XpqA6gM5VTbeSq+rAABLh1KXVaAbjVUtWdd76mbjznA9xipgAW3Exm95uZAWSDzgdOpt5DVUvmE9cBcH62sYxXkjuFTMrBKXkisfPLgWWLxoi6Shmp+GCYxqsDO7wEytzNiOquTlwQ+9VfaBZu6i2iVwj1io0BSNOZn+ub0bS3mUYNM862OWkK302izFblYwbjhyqWZVppS3mcQbIqbGBrYrMjDH43qIekWrVJXKRy6q0EmZDozM5ISf1VrGXJyvinarJvAIoYph0YOr2oQsFp5XAADY958M3hQtwlmi5b99yVRcmcqyq62rFrEY8OMU+VEGovmbMMUbRUbI5QeeqgEvJF48HLV+TyKWjAFd+sOAexi2npI+YD1OMnGpgw34sDA16xoB4TSQKIkZTMDrJgjMA30x4Luhac515JbkDmOCajMNLdkIX1JXVOxg1G0xtt2nMS+amhUWcKIgCIZCQZAUwBDES7bHaGfLhhFQ9g1c4dXLIDZzYUh8IDTCG9TLktxu5a5YRE8QshGAmniKuYN85mGOMuTephzlcmZYqpSt4wPJ1cOkI38Tx5QcKTghmIKXrQWRiVMNW6fQlRBKZGEgeRzGaghHIN6o9ZoSV00qGY4ZxT3opzMBZWMgF7BzoARwcjJoNYszGGIO0i9U4UnMmKgigOLab4/XsGCDNnDQK41CQOklVK++DwAQ4Sze9DX/QOMDM9qxy0apTUaEAawWor4M7xl4DdtKkk7WHcCmh4nGA5evg0pHfiMo/KDi8m0iXAQ0xqiVsZKHX6awVYFIw6hQzOuqqqipHVhiYKbVTVZ5+dgyyAaOGR1XPxhmzrg+aGDC1glOnDOSyKRbC4FSx6AaQG8DMgtnwQWACDOaH/DZcX/buiIj3rQWfxFiKVoZShgZKdJqLrsOl5Isni0tHnqj8XMG3GDLKizOjWp4Kpl2pBCbJo+4mPeVMTrts5dkDVHR+wErOfcicMfM6nPJmFeq0UUEJlWid2/FIRXUCqQtAtBr1wVfemFJjyG8xmIuRLpjVWtWWWipLGnTD9MHY+SAoJVS8sDaC8gMFf1yVROHdfCOEDIcoZwaSMwXxGlb2NTMcabZJCmfMsshsFO56fovKu5HFNtjbzKcugAyZvQTng4MJ8ED8vtU4awJOZl7kbHIK3vY0w5hjTA7JxcyS9IOolHzxJGw1C/DlBwp+vFnanmYmyaOus6sLMCIsZl6TTf3McXZquhap6m3qHG2H5FDd8Zk2YNRsAKYYY2ZRE0VGcp/Tyd3YaGs2ryOAZwMOcjuW2y273USps7ADG6S4CHI+kp6NDfDiYpbfdruNZl692QSTWdFAmJ6FKghjj3Fti43iQe5ZVEq+eFJCx6WjAF9+oOCYBlELs5sTwKue9lK2d2vEaJJHXk+1l0Z7TxUsxh7tGlW74EBVrXdHqW6uL2/AqNnEqhRiDDwYZYYVQvTo20ghBtrEmZmLZApZ82SSIjZaV0WpY2Yum5hXbT3rw6pGGmDyCy5vw8cyA+RZgPE7GID5xFcQxh/jBdeSYW9RKfniSam715eh8kMFrwfXl9nkSNheXy5CUxCnL4joZobh9vpppnMjN1ykScZVCe/riI3/jP+M/4z/vtQ3VlmPAuopha3Q4IR/VJbVBPBcZd2aBJdV5rM13ftlrP0z7SpeZb67Umvez7/qXu85cs4e9Iqj7dmDvnis/1N/Nf4z/jP+M/4znsvz/Hbev90pogoh/M4/hJA7qno8wcQOVf1FgrJ3mqrOsT56oipPwBW67h4PNHTd7dhv5+jKZX05YW+y0/eWsne7Yu3YE9ZbaxvaPtBOdoq0D9TYc8jRmdF8fLjuNB/doYu6VXXxgdN8zKlu4Sf0x1JHac9r9K+qsjNs1PnXtoXKDloCxIbSahq84QKF9VoKRJbwvgsd4z/jv7jDr7WNdqNZ1csuhnANfuPULGag/HHh99p4oOD08zVtll7Dl8VbVr/f5vtDfJPMFj2v1H2c8nEm9xVSP7ZIDi5ekzaaZRkOIXkjOu/zEOjxobMHLGd2rPi48Nhtrt/ryhHM7H0huQGSx8l2Eu29Fpt7rxons0HMROdGYVQZGq2LEIpqm0CL6sUxgmCnbfKq7ej8BNVhQ7EXlUQUFWp+Vu0vMPsIKqOh/4VSnUTW6UV9VPWWYahbJB8JzqW6KLgNKmhDYnF+t2yOqqo+q0eCE55JaEZaGXNgRFVniGaVxnGbrp2gawJJvYXeoYvlviM0yS7iXf8crYpwgr0mMktncMpb6ZwuAx+jDqxi31Ror+rtIpFOprN1kldqtlnMRvBPqGBlZpyu9MGGJrnvNWvnI8HJEi33wUEFcRLRSJS8ZTO7OAFkXMoxYmhmLRR6YLDCSBaHMZzcNctI6XozgypA50CgN/SVTGRnYSfpMWzjlA/NZJa0wD9ZjFQx9RCqaZPNkicWEqr3Tm9VIf4JsYKIQJ2uVBAPgkXH/cEhIbkMeWXbe4+ybVJPbO7DYwQFxSgDPTAEGdjUxHEPNA5NmwCS/Fzfz2QDu/65qRxeM3aUnWTj5MycYuyntpysarSNcnEQvYx/2om3nCKL4OgjdiQ4WTroyCtUECeR9PJ2Nhn20wXDcaVvIYoUJr4OYslVNqZ7ftk33pH1IJVnEDJOHIJciLOKq0IRs9pp8EYEd6rKknUDb1tOV2iPlRyWLTzMpqg6ZKDuQDEIc9YD9ArFQwTnspsKkssqjdngXHYtXftIq7mt25WwQ9WpQ+8aD1UmR6qLDk21/cEh0ejbvLsi4o5V1ZgyVT2/b6ykScAJ6PpD7G4+BF7VzqziDAJytp7qA6PTFrua075ms/4UzHYHhw0A27xjclDMurgbspRcUGLWYQdfoZtnMo+R7Jm56HiVGWI5iHB+BA03W8ay+CNULTvjsCH5OubLIo20u43MBrmhfACVukrb2u0gsc3mlVUMSqc4wy/I+MgGuu1YiP+ju4Fbr4vZkeBcnKxZXEUF8RK7dg21eGJz9244LuAvGPeQ9GygyGnzbux8SBVeyyEEDTfbDMeoTv8BhmtSRV1bZvAwxJKF1gOYNtpVMTNutfcgU6c6L5JZxV5UC/kFMRProq3XgYGsc/Pry8PG+vISVT0m4NnsUHDGqNoVdn25chLRiHgjNvcBkYsj/oI22R6scuvLmFEMW8auVHZzTdHR+4KIK0w7rWvtUHmMig+mtQ9Xt1iDPeKiZ3xnDn1cx+E7HAEFvzXp3JA78Q/SJBjL8fEYHJ4HXPLUAQC6b6CGG4LHMT+r33A5KZy7zpD6VYtXVS1sHLjggIdL1JNXzzxTtM88Mzt+qnAOMybU3MhleoB0zffFSrvYbrqaLR28HXRY8eMjB7/f4gHv7xoAnTn0cZ2VUMxX60JwRdMb8yANffCHVKLDqlqdjbAqAYDuG/a7KA687HJsueyr2aLFrEY3AYVqQxkNDjDBI0hAzRZlh3lYn21oBC4EmVBzI5fqAdLz5vi0M+MM/QjHFStn1mW/xSPecQCX5gaAzhy+XafPMh/gm/RmlpjndrgHfxBUsZzI/dMTAHTfiCVQ3CecpT+ZtSGYiQdI5SF5wEt2qjzzTJF48rBqliFLAxdqbuRSPUAkfx2xzndv9vlqBIyhLXXYRVC/tZxnMwXuEia9eM0MQPeNWIUbFvCH8zxwbqRo1amoAAQjo8EBut4IJDjw5CWReyzUPTdyqR6g2BTQmcO16wQCanJDIA/+ELJiKQMHN7KqkjVZSjDxPljwSUwWCQ7SbwNNPiAu1COGTA9QfArozOHbdULczG3lK49OtipufuFtrKtVbaml7oYGZ28FTT4gF2q+kuoBik+lkzkDaNcR8E3Y33xajIHOggt/mcsMmBmM7G4pXuRscmr9bpjgOLzkLeDJB8I8jMSNXKoHCEN8A6WnAmaLmg+xeX1oQ/tOCNCZA7TrCBS4p71jt1YL8+APPh4jcHM64A3mAXcDum8gWQZ629pKmeChHtFAmJ4VocFBD7Abi3jy0phQcyOX6gHCkbIl4Ap4LeyN1UHyu2Az0JnDt+sIP4xTo8FDtbDry14v7IM/la4vd4Es7eLADnTfCDDry1KsdYJjMIKvKgd/T8AEJ6vH1eGBRTx5aUyouZFL9QCh1ZaAdwWORLiNr1DlrOkxKkcef0qiAa7TyBM3slQd8RmifjYUMAi3IE7fF0Rr51Oy3MVHoRybtDOrEixIxCs8kcJszMwG894b5nU4xN6kqDrnx6Aca6BkIkB4Mq6HeA24TCKL7UQU5AT6OpyIhr/A5yazr8H1jmEf3KfvmU8XJYTo/cigqkcYQXFWz5Aobrz6W201qbfYGuVo842RzqxKtqE529gypOaMJBVutyKL3eRQVdV+H56sLy+qndeRvr6lw/Vlsyp6fjnmpt3wD9n5j/dlZp/4j/Hflyqeq6xHAfWUwlZocMI/KstqCnxJUFm3JsFllflsrda83xrdy5xXme+u1Jr386+61ztAztmDXnGetGcP+iICzvzV+M/4z/jP+M94LoTw56F/u1PJrL99BWWHqpvGsnGaqn4RyamqZd2g6+4/cDR03e0G9k7RVXly0zm6clnf35S923+nVFL2bqm1T2n7QPLkKMsXNkeOuUsLeo///a1G85Fh54Ee+shHnb/7vNFRWraG/UW1fUltzU8EiHLI6PMn25eURoFVZW1XYWs0eDsNye4bWRknvG8hyfjvky2ZT8DQXHZp6q9EnK/ArxFbQ/vIiHIQuVZAYs/zG6LLLoYQW4vXRL788UXilZjcV/uQMqZmdiVI+YrHWcf3tRulU63ZLEfVfnR41RiArAM5uYuusjojMgPZGFYNi9hFfVX1jkW1v+D8Ny5MZSbLqmzOEUWbV5XkjFXVoZ+pYKIoZfApAVLBTbTKRkyc66jqqQtHjuDCq6oWzpPRgADOQ8D4c/raZM5I0HztiMV1gkQLbW8WY7ZZi0VdLPfdNk2yi3jLMlvuA7LIaFUcoZjXs1kXptVUtlG9hZ5HyipGvIUWBF9W09VZmszrzAkexDnwDiYkXCgGMCohTquLxLjAGHaSoWI8ObiAzDpY7qMRNZXoSys7mEjZhp+xmI7X4ARk6INZV1roLdssTkCH3esyZEDUeXAkp9Hb2QmY1FvXbzQTidFZWuAsCp7INPk0c4J7EJwcTEhoKKhRMRAfuk0XVSvAeHIwAUEvo1YGInuUs2kMP2OxmoaUC/d/bu3bETX1jiZvbhABWXCKu+J6GaWCRuzm1kaTYSesJZDimwxwgoft7ucdRO9ZawCLcC6gXAiMJ2KW0oN2zwCyQSUzkfAzFtft9kFVNcMVZyzHsWludMjAuANtoMSsBwHx6nQSGMEQhg5PuCQkLON+UNbAUDtVJVBPQNZNBo5BUIJjhJ+x2O6CN3L+stDp+TDQr2Kbd1dCjMlRQjdtnjfFuLKoxz/qH6q6aOQqxtO1q/AzFtOJrQEj6fgbmCxboKCqlTRvgqfkYmvzMYomW+GuWBnBWdnBaQ62BWOUy4n8bq8TBxOMKzYzQs9YXGdozjYGOJdl8zpuMQcnhqU0i5PtKnLTuWGxLhQbxePN5HY/WTqD28zWww3qmRMcQ7ECIo2EhIUxCuaE2a0yLtB152g7Yzw5uIBEXXbvxgo/Y6iR1ZU+bTzEgES2qHZeR9fLtE22Ra6qc2SxMa46L+z6cmUBF+LJMu6BDRDvQ2RWhFnBRZXswoSECQWzoC3IyUUXfn05wgy9CV4HNxrohfNkNCDc+jILXV9mhZ8x5MDDk67ERf279AciuvDwymV5UNnYxx+sPKaIYYiF7v8YdDVbatKDplMYzBaZPr48hoihSi/MY3Dg91teVP0KzKXmbFFV5d2YDPPbB+7wHUz+P7bVo4gYsjbMY3BAXx3z250qi9lZBwsxvlNUmA4c7RbmMTjgOQb2Nxm+mXD54aLpFokr7WjMY3DAs/vrWslYgSsbstwkK1xRoY/BAeZXm4KjR1bviPONksw/ZEeJzWO/zTWEI4pItRv+Yh6Do+FumQ/iYYYn+YgiWikLuIFPF263C9kNlWwR0mFFhMJ12XJtcIfWl5nxFfQAHbmGfvTCwweZuVf3hKpaM/emH4FbKoMQxZ55Hw8wImCpAQcNOsKw+YIIegCOXMMAFffqnhw6y+ybfnBSDqg4tZ6+jwcYEdRSwB80KLECHLlmBwnud+LaY9IzfdMPR4bvmFuUNj9ZAoBfr/AHDUq6/lKD7ICq6ILBXRL68SGOceNyPAUBT2wAr8FKrHBHrjlA37iyl8K/jwcEtBQkYPLZrYAbcqG8hzOtvPrEbgMcuaY0aRdkubgwbDcvLXkfj9zu5At05JpQzSoKYMmhg9GAIzVnultxuzHv4+FHBLUUJF8XoCPXXIKqP5GX41BwfTmO/PtuOnZ9ufXs+3jaWdHzy+RE9xdEGP8Z/5nTbVDAtldYjwTmVJbVBHCgMkeDU+1Sme+ulJqP39NS81FlXmX+YBv9qs7QRVxccR45Zw+azeg9Xt91mo/+/xEXds4e9LH2zx7U+M/4z/jP+O9YfCGEPw/9251KZn31FZQdqm7uNM3TvaZpTlPVLyJvqep/y0RD191/AFlF190N4xxd/cLTymm6agfGlL3bf6d0g7J3K63NHGkfSJ4cZbnM/u1xozuj+fiv33aajznkPNDfOx43ln5Cf6x11PY829B8/FFqPoqu2hZ+IkBkKuv0KPAn25V2+ScKRFdhRUsAdSfWeCMrBPqS8DzhfQtJxn/Gfwr5tQZKv4eLjsiX1W9xmlGXt6JYMhEg5rU+ILG/DkOjv/GIcVXKJz0mdYH+83D4rc72iJGZkB74q1GhAq/ldoPXfItg7r1qnHAGLwn6T1T1hNCp1nxVihMKNgRsWEAhI/3P3PrGa2+2qMYLZXBamf+yLRVb8KKiOHpVlVXhogMRxUTIyZhtw3UVmCOMllrVBa8uUiAVaeVFQ60BxFjptZhngEmHwIRkEEBQIqo6v39EF8t9Z1bkYkMzroTJvCYgt53lGK9Jlmi5DyAE2rN0ZjXwOPldmCxKJtYHNHd2I0KMBnatnia2UldF9ZyolT6vemS0qn7DdXIm5wB6ikSogFSwM++kn1bRhQSGBSXdKhEASqss7xsrKNl1LbNBzGSBTr2SzKyPgNfJLOl5B1BGKqBQcGwoQwYb1nZgyXmhoJWzMxfUIy0R3PWo0TwMJ2HZQTDjRF3QChiMe1yLotjkESAV6WA0I3XuJTMbUNLPWiEiIN9csN5Xbjjohaw4RqdEgK416NxXrbpgRkYFW05GpwssGTohdHXGOriUwbBvdxEHkx30ZowoyrDSR9Y1Gh6bs1UF2Q4oFRwquuuNgU86aoPw4OhRNL3nJMyqqgxNdvTqylUB+UO2Steu+nkfA8raYMhoIs5E7CD7YERtseHanbAXmEd0GjzCp0KsJ/hBHoCkD4LBKlULRMW/5yR0066qGhSWs6ZjwO2uNosKiuj2VuSu82OqNlybhSUoiYh0WPGpwMrmxKVStToUeNIZjqT5LqsjdaxXacQrmmxls3mA69qCdC0qng4xkA6ZZVjJGZtDk4omlopd0a7f3LPNu1DG0yBNcXJQDINPhci7Q7M0LTnAV6GPOyjSZSsx5iuSHwUk71YjX4YTozpC4XfLjMazLgY3fA9RnLYoGZRP/WxZIg43cG+aYjVcbBRPb7Qzu6GAHOAsPTm1m3CiRESzdtGDaCQ0sogZDcUWO3ZzUndzxSHz+8JoIyRzWnkgAkiZZLgiZvZYiPC2TG5jjKq+jbvWl+PIrt623ox7LFMCyO8KWZZdDJXPwezSqnqh2KIq/vj6Mlwglw04UaILwlkbmvKCRkKrnoZiC1xfTsN4frltZ6v9SDNLdKSmOC6Yb0UH0FLxgYDK5CxzGAF6F9KsO7ljN7s8ojgRg2PsVRcyvEw65GYmJrwZ64sTcZG40oaJU3UhOSeoeYyqVeUGGygPo8JOV1WqZ1iI82M9xUSbQXAq5lcm6VxHTVZbctXSx8mKntmqnEa7tHHrlO61FJVkU9sRqhQbZSWptwIrhBPoW6Ezv2XDFyMCpA6NcEJECzxbwMBsAHkYmC0HwyWcrto7Fx3M3op6xyzQdwNeo5wWMqMLMwdO9qomYGCohZx2+XtYw0rocVCBFc+utRVGVd7wxYnogujCCumCwU2TPYB5GFVbTFrIxmuX373ooUcOkh0y09O4DPBPHYwBNVCYc7zMexgcTTaiHTmrJ9P6rrdJPeCJ3LzhixORRQIrhLrcVYF5GFXlwHyc/jpi6W3En7eSdUDOtrRW3DZZnOcYcFSQbnuDwWn1A4Us76u3pFPS4KDiOV/bIhb1rBDmrtgeoDzE9ayd3cl9q6p6Pnl6zjXbVW1/y6EKSz75Wo2vGF/bIqa1yqwQicgtorJBYjRgDqTZLESdaN8Ptqt58wdxbDWTDl+cpl6Ssc1ew4YvTkTfltPMCKHzeVks1APNsb0JVp743aC/RzPLMV6sxBmpLbfb9sMhm1gNZDevA7kmryrZjN9twxcnwmsyr4kRwu02yCqkbUYzGQnvFtuzWfIKu75szO3ivKiqZ0YIHcj68o7HMjm215cTs/jfzkYwryp+wxcn4iIVvmEiqpj1ZXTTe4evKg8/vwxJeI9aeSyNjaepvWo7rtSoOsDVXQdXVgN5+PlmSeNtavHtWvhhpstJ6UeKzrdO6EepJrOkF7rwsQKrj/4mCjc0yLKS9FK0OobbKlmh3Gox8ajmRkuM8BWHb6bbKeSB2ZajNN6meCOFvPkqcFhqtPVab7xPdn3iP8Z/xyvaIMFJw3iFbZPAgcrmKHDWMKXKGgrY9irz3ZUe8tfUmptSma8I8O3c3NCRJ9Tmswb58bzj4w30WVXGf8Z/xn/Gf8Z/xjb/9rvUY08B3aCeC0F981+ltPO1f/bPAYd17wzxXH0TUP2f8izl+Hx4Pv6yJt2q+iEr66Dqt3u3rpIt8t/K134q8H+UW1V+nP0wFZj3ZwkX9SolH9Etau9l3FCLMdinb7t89obLt/3QT3/udsunf/JHv+//b7d8w09/9KJfc7P9+zt+QOT7nz5zo/3zrd/5Ex+JfPe3f90tls9+28/82EeuvPzkd3zTN9xYyzcm/Z6fECw/Hr77Z2+t5fuhVQA=) **Figure : UEFI secure boot workflow** Note Secure communications and cryptography are facilitated by the OpenSSL toolkit, while keys and signatures for UEFI secure boot are managed by efitool. ## Generate key and certificate To enable UEFI secure boot, generate a pair of keys and certificates for signing and authentication. The key generation supports the following algorithms: - RSA 2048/4096 with SHA-256/SHA384 hash algorithm - ECDSA secp256r1/secp384r1 The following procedures provide instructions to generate keys and certificates with RSA 2048 and SHA-256 as an example. Note - Create a directory and run the commands in the same location to perform these steps on a Linux machine. - For ECC, replace `rsa:2048` with `ec:secp384r1` or `ec:secp256r1`. For SHA384, replace `-sha256` with `-sha384` in the following commands. ### Generate UID You can generate a GUID and create three new keys with self-signed certificates in CRT/PEM format and keys in `.key` format: GUID uses `uuidgen` to generate the signature owner GUID: uuidgen --random > GUID.txt Copy to clipboard ### Create PK key 1. Create a PK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in PK.crt -out PK.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth Copy to clipboard ### Create KEK key 1. Create a KEK key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in KEK.crt -out KEK.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth Copy to clipboard ### Create dB key 1. Create a dB key pair (RSA-2048) and certificate: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Custom DB Signing Key 1/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 Copy to clipboard 2. Convert the `.crt` file into the `.cer` file: openssl x509 -outform der -in db.crt -out db.cer Copy to clipboard 3. Convert the `.crt` file into the `.esl` file: cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl Copy to clipboard 4. Sign and generate the `.auth` file with the `.crt`, `.esl`, and `.key` files: sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth Copy to clipboard ## Sign images and copy (.auth) key/signed files to EFI partition The EFI system partition consists of EFI, loader, and ostree with information relevant to EFI when using systemd-boot. The DTB partition consists of dtb directories. The EFI system partition holds essential files for booting the system and managing updates, while the DTB partition contains hardware configuration information. This section provides instructions to: > > > - Sign various images. > - Copy `(.auth)` key and signed files to EFI partition and DTB partition directories. > - Signed and executable images such as the `bootaa64.efi` file (systemd-boot) are placed in the `efimountedbin/EFI/BOOT/` directory and the `linux-.efi` file (Linux) image is placed in the `efimountedbin/EFI/Linux` directory. The systemd-boot validates the signed images and is also used to enroll the following: > > > - UEFI secure boot keys are placed in a specific directory in `/keys` for key enrollment. The systemd-boot uses these keys and stores them in the RPMB during UEFI boot time services. > - You can configure the wait time (in seconds) in the systemd-boot loader configuration. Kernel loading is delayed during the wait time, allowing you to review and select available options in the systemd-boot menu. > - Device tree files are stored in the `dtbmountedbin/dtb` directory. These files are used by UEFI during runtime, and the device tree files are initialized. While signing, `.sig` files are created and placed in the same directory as these files are non-PE images. > > > Table : EFI system partition (efi.bin) > > > | `/EFI` | `/Loader` | > | --- | --- | > | `/Boot/bootaa64.efi` | `loader.conf` | > | `/Linux/linux-.efi` | `/keys/authkeys/db.auth`


`/keys/authkeys/KEK.auth`


`/keys/authkeys/PK.auth` | > > > > > Table : DTB partition (dtb.bin) > > > | `qclinux_fit.img (or combined-dtb.dtb)` | `qclinux_fit.sig (or combined-dtb.sig)` | > | --- | --- | ### Place signed images and keys in EFI partition Follow these steps to place the signed images and keys in an EFI partition on a Linux host machine. 1. Locate the `efi.bin` and `dtb.bin` file paths in the `contents.xml`, file to obtain the `efi.bin` and dtb.bin` files from the meta. 2. Mount the `efi.bin` file into the `` directory and create an `efimountedbin` directory within the `` directory. 3. Mount the `dtb.bin` file into the <workspace> directory and create a `dtbmountedbin` directory within the <workspace> directory. 4. Mount the `efi.bin` file: sudo mount efi.bin efimountedbin Copy to clipboard cd efimountedbin Copy to clipboard 5. Mount the `dtb.bin` file: sudo mount dtb.bin dtbmountedbin Copy to clipboard cd dtbmountedbin Copy to clipboard 6. Create the `loader/keys/authkeys` directory chain in `/efimountedbin/` to enroll keys. 7. Select and copy the `.auth files` (PK.auth, KEK.auth, and db.auth) to the authkeys directory in `efimountedbin`. sudo cp /efimountedbin/loader/keys/authkeys/ Copy to clipboard 8. Sign the `bootaa64.efi`, `linux-.efi`, and `qclinux_fit.img` (or `combined-dtb.dtb`) binary files with the keys and copy to the respective directories in the `efimountedbin` and `dtbmountedbin` directories. 1. Sign `efi` images: > > > The sbsign tool is designed for signing EFI boot images, such as `bootaa64.efi` that follow EFI specifications. This tool, which is used for UEFI secure boot signing is available for download and use on Linux systems. It’s important to note that sbsign can only sign PE images with a `.efi` extension. > > 1. Copy the `bootaa64.efi` file from the `/efimountedbin/EFI/BOOT` directory and the `linux-.efi` file from the `efimountedbin/EFI/Linux/` directory to the `/images` directory on your Linux machine. > 2. Sign the images: > > > > > > > > > > cd /images > > Copy to clipboard > > > > > > sudo sbsign --key /db.key --cert /db.crt bootaa64.efi --output /bootaa64.efi > > Copy to clipboard > > > > > > sudo sbsign -key /db.key --cert /db.crt linux.efi -output /linux.efi > > Copy to clipboard > > > 2. Sign the dtb image: > > > All images authenticated by UEFI secure boot are regular APIs and typically in the PE format. The signature header and size are appended to the existing PE header, and the signature is appended at the end of the signed file. > > > However, when images in non-PE formats require UEFI secure boot authentication, the absence of the PE header and its magic number to recognize the image format fail. As a result, it’s not possible to use standard tools and paths for image verification. > > > Currently, among the list of images that UEFI secure boot verifies, only the dtb files are in non-PE format images. As an alternative to the sbsign tool, you can use the `OpenSSL cms` command to generate signature files for signing images in non-PE format. > > > Follow these steps for signing non-EFI images: > > 1. To sign the dtb file and signature file, run the following command: > > > > > > > > > > openssl cms -sign -inkey /db.key -signer /db.crt -binary -in -out -outform DER > > Copy to clipboard > > > 2. To sign the image, run the following command: > > > > > > > > > > cd /images > > Copy to clipboard > > > > > > sudo openssl cms -sign -inkey /db.key -signer /db.crt -binary -in qclinux_fit.img --out qclinux_fit.sig -outform DER > > Copy to clipboard 9. Copy the signed `qclinux_fit.img`, `linux-.efi`, and `bootaa64.efi` images back to their respective directories `(dtbmountedbin/, efimountedbin/Linux/, and efimountedbin/EFI/BOOT/)`. 10. Configure the timeout duration of systemd-boot manager to display menu: 1. Open and edit the `loader.conf` file at `/loader/loader.conf` with sudo access: > > > sudo vi loader.conf > Copy to clipboard 2. Add the line `timeout 10` to set the boot menu timeout and save the file. 11. To unmount the EFI binary to retrieve the latest `efi.bin` file, run the command: > > > sudo umount efimountedbin > Copy to clipboard 12. To unmount the DTB binary to retrieve the latest `dtb.bin` file, run the command: > > > sudo umount dtbmountedbin > Copy to clipboard 13. To flash signed images and keys on the target, bring the device into the Fastboot mode and using following commands flash updated `efi.bin` and `dtb.bin` images. > > > fastboot flash efi > > fastboot flash dtb_a > > fastboot reboot > Copy to clipboard ## Enable UEFI secure boot from systemd-boot menu Ensure that the EFI signed images and the secure boot keys are first generated and then flashed on the target, along with the systemd-boot manager timeout configuration. For more details, see [Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/doc/80-80022-11/topic/enable-uefi-secure-boot.html#section-sign-images-copy-auth-key-label). Note The key enrollment using systemd-boot manager to store keys into RPMB is a one-time operation. After successful key enrollment, the reprovisioning and updating of UEFI secure boot keys isn’t possible. Following steps enable the UEFI secure boot on the device. 1. After the UEFI is loaded and run during the next bootup, the systemd-boot manager displays the following interactive menu on the serial log. Qualcomm Linux 1.5-ver.1.1 (ostree:0) Enroll Secure Boot keys: authkeys Boot in 10 s. ????????????????????????????????????????????????? Boot in 9 s. ????????????????????????????????????????????????? Boot in 8 s. Copy to clipboard 2. Use **vol-** key to stop the timeout, which displays **Enroll Secure Boot keys: authkeys**. 3. Use **power** key to start enrollment. This is followed by a timeout with option to abort this enrollment operation, in this timeout duration don’t use any key. After this timeout is completed, the key enrollment operation is executed. A successful key enrollment is shown in the following log. Qualcomm Linux 1.5-ver.1.1 (ostree:0) Enroll Secure Boot keys: authkeys Enrolling secure boot keys from directory: \loader\keys\authkeys Warning: Enrolling custom Secure Boot keys might soft-brick your machine! Enrolling in 15 s, press any key to abort. ... Enrolling in 0 s, press any key to abort. Custom Secure Boot keys successfully enrolled, rebooting the system now! Copy to clipboard 4. After the key is successfully enrolled, UEFI automatically switches from SetupMode to UserMode. Then systemd-boot triggers a device reboot. 5. On next device bootup, UEFI starts in UserMode and the UEFI secure boot is enabled. A successful enablement of UEFI secure boot is shown in the following serial log. OS DTB Authentication Success status = 0 Authenticate OS DTB Success! Status = Success And if EFI Stub level logging is enabled through kernel config then, EFI stub: Booting Linux Kernel... EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path EFI stub: UEFI Secure Boot is enabled. EFI stub: Using DTB from configuration table EFI stub: Exiting boot services... Copy to clipboard 6. Once the UEFI secure boot is successfully enabled, revert the systemd-boot manager timeout configuration. ## Hash unsigned images and update DB for image authentication UEFI secure boot allows image authentication. This authentication is achieved through the hash of images stored in the signature database (dB), even if the images aren’t signed or the certificates in the images aren’t present in the dB. This process is reserved for content that can’t be signed or altered from its vendor-provided state. If the image hash is available in the database deny (dBX) list, the trust of signed binaries can be removed without having to revoke the corresponding certificates or keys. This is useful, for example, when dealing with an earlier signed boot loader that’s vulnerable to recent exploits. It’s redundant to apply a signature and create a dB hash for the same binary. Follow these steps if the image composition doesn’t require any changes, meaning no new keys and certificates are being added or modified in the image, and no UEFI secure boot authentication is needed for the existing images. You can calculate the hash of images and generate an allowed signature dB file. ### Generate db.auth file for unsigned images 1. Generate a hash of all images to be verified and convert the hash into an `.esl` file: hash-to-efi-sig-list Copy to clipboard 2. Sign the `.esl` hash file with the dB key: sign-efi-sig-list -k < .key file location > -c < .crt file location > Copy to clipboard 3. Copy the generated `db.auth` file into the EFI binary and provision the keys into the device. For example, on a Linux host machine: 1. Mount the `efi.bin` file to the `` directory and create an `efimountedbin` folder in the `` directory. 2. Create a `testkeys` folder in the `` directory on the Linux machine and copy the pre-existing keys to it. 3. Sign the images: hash-to-efi-sig-list /efimountedbin/EFI/BOOT/bootaa64.efi mergedhash.esl Copy to clipboard sign-efi-sig-list -k keys db.key -c db.crt db mergedhash.esl db.auth Copy to clipboard 4. Copy the `db.auth` file to the `qckeys` folder at `/efimountedbin/loader/keys/qckeys`. 5. Follow the dtb signing steps and sign the dtb images to generate a new `efi.bin` file. For more information, see [Sign images and copy (.auth) key/signed files to EFI partition](https://docs.qualcomm.com/doc/80-80022-11/topic/enable-uefi-secure-boot.html#section-sign-images-copy-auth-key-label). 6. For a Linux host machine on the target: 1. Erase any existing UEFI secure boot keys and flash the EFI binary with fastboot. 2. Provision keys with systemd-boot. For more information, see [Enable UEFI secure boot from systemd-boot menu](https://docs.qualcomm.com/doc/80-80022-11/topic/enable-uefi-secure-boot.html#section-enable-uefi-secure-boot-from-systemd-boot-menu-label). Note All unsigned files are signed with other keys and authenticated with UEFI using this method. ## Next steps - For chipset feature management and to upgrade the chipset feature packs, see [Install or upgrade SoftSKU feature packs](https://docs.qualcomm.com/doc/80-80022-11/topic/upgrade-qualcomm-wes-feature-pack.html#upgrade-qualcomm-wes-feature-pack). - To customize memory and SEPolicy, see [Customize security services](https://docs.qualcomm.com/doc/80-80022-11/topic/customize.html#customize). - For common logging and debugging techniques, see [Debug Qualcomm TEE and secure devices](https://docs.qualcomm.com/doc/80-80022-11/topic/debug.html#debug). Last Published: May 18, 2026 [Previous Topic Enable SELinux](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/enable-selinux.md) [Next Topic Install or upgrade SoftSKU feature packs](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/upgrade-qualcomm-wes-feature-pack.md)