# Configure and secure boot with systemd-boot and UKI

The systemd-boot unified extensible firmware interface (UEFI) boot manager provides options to control the boot flow and loads the user-selected boot loader.
The configuration files, kernel images, initrd images, and other EFI images must reside on the EFI partition.

To run the Qualcomm Linux kernel directly as EFI images, build them with `CONFIG_EFI_STUB`. The systemd-boot supports two configurations:

> 
> 
> - Type1: The Type1 configuration uses boot loader specification (BLS) description files. You can find these files in the `/loader/entries/` directory on the EFI.
> - Type2: The Type2 configuration uses unified kernel images (UKI). These images combine the kernel, initrd, and kernel command-line into a single EFI executable.
> Type2 offers better security because the UKI contains all the necessary information for the device to boot. Signing a UKI image secures all included entities.
> If UEFI secure boot is enabled, the system only loads signed images, making signing a requirement.

For more details, see [systemd-boot](https://www.freedesktop.org/software/systemd/man/latest/systemd-boot.html).

Note

To use a secure boot enabled device, signing is required.

## UKI

UKI is a combination of a UEFI boot stub program, a Qualcomm Linux kernel
image, an initrd, and other resources in a single UEFI portable
executable (PE) file. The UEFI boot stub looks for various resources
for the kernel invocation inside the UEFI PE binary. This allows
combining various resources inside a single UKI image,
which may then be signed using sbsign.
Qualcomm Linux uses sbsign to sign PE files, while non-PE files such as DTB are signed using OpenSSL.

For more details about UKI, see [`unified_kernel_image`](https://uapi-group.org/specifications/specs/unified_kernel_image/).
The following table shows the `uki.efi` content:

| Components of uki.efi file | Contents |
| --- | --- |
| Initrd = Init ramdisk | `initramfs-rootfs-image-rb3gen2-core-kit.cpio.gz` |
| Linux = Kernel Image | `Image` (as systemd-boot expects uncompressed kernel) |
| Uname = Kernel Release | `6.18.12` |
| Efi-arch = Architecture | `aa64` |
| Stub = System-boot efi stub | `linuxx64.efi.stub` |
| OS-release = OS-release | <ul class="simple"><br><li><p><code class="docutils literal notranslate"><span class="pre">ID</span> <span class="pre">=</span> <span class="pre">qcom-distro</span></code></p></li><br><li><p><code class="docutils literal notranslate"><span class="pre">Name</span> <span class="pre">=</span> <span class="pre">“Qualcomm</span> <span class="pre">Linux</span> <span class="pre">reference</span> <span class="pre">distribution”</span></code></p></li><br><li><p><code class="docutils literal notranslate"><span class="pre">VERSION</span> <span class="pre">=</span> <span class="pre">“2.0”</span></code></p></li><br><li><p><code class="docutils literal notranslate"><span class="pre">VERSION_ID</span> <span class="pre">=</span> <span class="pre">2.0</span></code></p></li><br><li><p><code class="docutils literal notranslate"><span class="pre">PRETTY_NAME</span> <span class="pre">=</span> <span class="pre">“Qualcomm</span> <span class="pre">Linux</span> <span class="pre">reference</span> <span class="pre">distribution”</span></code></p></li><br></ul> |

### Image recipes

`meta-qcom/recipes-kernel/images` contains the following recipes:

- `esp-qcom-image.bb` generates a VFAT image, `efi.bin`, which contains `uki.efi` and `systemd-boot`.

The `meta-qcom/classes-recipe/image_types_qcom.bbclass` class invokes the `esp-qcom-image`.

## EFI image

The EFI image, `efi.bin`, is a VFAT file system image stored in the EFI partition of the flash.
This VFAT file system contains the images necessary for the UEFI to load and transfer execution control to systemd-boot.
To transfer execution control to the systemd-boot manager, UEFI mounts `efi.bin`, loads `bootaa64.efi`,
and executes it. The systemd-boot manager parses the `loader.conf`, loads the kernel image, and transfers the control to it.

For more information about the structure of EFI, see [EFI system
partition](https://wiki.archlinux.org/title/EFI_system_partition).

The following is the sample structure of `efi.bin` from Qualcomm Linux.
It contains systemd-boot `bootaa64.efi` and Qualcomm Linux kernel `vmlinuz-<version>`
under the `/ostree/poky-<sha256-sum>` directory.

> 
> 
> ![../../_images/efi-bin-ostree.png](data:image/png;base64,UklGRggNAABXRUJQVlA4TPwMAAAvVwJjEP/BoJEkRf3g3+ox/8/YYNg2kqIc9V/qM//MMGwbSVEe+m/1mP9n2Na2LWObs49ORArQll5lY2TJZgIA/PvdJJHtl8gmiWx/Fses1/f9JJPF4fml0fZBYb9gc7iAwfFKYXfoLmgNgfgDSocH+B0XQA1UQAU0QAVUb396xkhlyWv261e24vs/cY7a0ex3C1Mw72ne07yneU+OrWfpZxfn6HxH3aswBbI4VrZCFli0taeRJKl/jWe9994UTRKFKmYZVLDLvv9rJRIZVW3OKc50RUT/adG2W7eNDlbRZaXSXIAw9WhFzPebTwrtr7/9018Wkv3hNxN+96PPaSHZl3/8leHXP6G1ZF/85W+an321mKAf/lPz0y9XEz/41+k/p6S8/fYoj8uHy+NR8KoXgmExYliOiOuITMMi/DjSJ32o6znSm9cLj0dtAbnLUfse12akGevqOf/pP++Wy7KCTv85/edEhMtR7u5W1XtADw+v0cO4WnFEsQI10ERAg+6IsW5oRKHv5CFE0v1MAFEbW5YOJEK5DRV9nwhYQoTOVPOgyESAYvlsbrZ2c5sIWCJ8h6N2Mc5VWVGuqT++qDb7KitqN1yt+iPPzRTr6jn/eR3r6v2y039O/zmR5eEol8vR9hf3q+o9oMvjq14w3j2CtlBI8EcUdsSB623OhkgMt3DYeyJlGTdIWBYfKsBEsQE7ka+AuAwg0Q60SOZIHtHMi10MGaiOAXDCkiARI/ieKYKpVuebKJcQqDZzpEndu8ZZwz24lpV7sfO/h4N2mawn31ldme01YCPa4OwHhjnSFaaESLmSoe/jRy967h6eTsumXUEcdRwRB67gauZItu4jvAXKXsw8sz3V7c0Twx6J4QYCZV6JHcJf+Dzb5q43V6GIQKU5V2GPNIQldQDrcgvEsjDoh3YjV5GUBHhzJCWMydILUQFaNKyrdU1ffWZdva+xrt4vO/3n9J8TWR6XFfg0ksaHSPgkj8kqkgJUT64C9Qp3tKAWnPSLhklXgdyc75ly9ySgiESlESOuG2dX6R4qRKjv6kOpRAGBQSuDx6NmsF0FQgUghKQQDIuLg8tRu+mq3HBl1hJl6WyuQr1QaDI2uwpKSBSrZyyg3WJHq42cmN0A8NWtq78/Ov3nWbmsq/fLTv85/edEhMtR7u7W1f931iteeMR3uZo8A35J4cCLynnEtcETu19I7W1QhiarUGpDjxGALA2e2P1CmqcruXlXxSqUPsSuD/fE7hciNOhMFHarcIjhtgTAUbsontj9QqPEEFmF6wCip7kndr846FYJT+x+ccVsJhGrcJXwxO4XVwL41m5Lgff3749O+6HTf07/OcHlYV29B/QaPi1/7wmzKKk+kgfQCBWZMlAdeQHyosE2qSiVQmflIETcg2uZpLqAtDB4OGoDu+h7adF+AJNaJp67ElXKemHepMLlcegJ0P0sMEzWzIdp+x3f9pljLSqsmz9im1Q0IXUhVzS5BWKhVh0Jr53dgj5SQlNQAVpUoqpfV8/5z+d4WFfvl53+c/rPCS6H5dzfr6r3yx4ePsEkIr6HJLwP2nxFfj/wiEdhPAuCxjgg5RnI8r4D1ikw4cWO9NEkY1ibVF8HdrJLwzlRa8E1pS0fJyJrwUzkcxXSuvej6GDCKLQ+UrF3p6suEe1aEQM9qVB6muRAR+8tRUl0MjRNiG2Std0GaNApMUeymZvEtiGSJY7UKylmVBLtOhGUKvgmR0fRq1x5KEtm3GwUSavw07ENdEuUDv4AVcjI/Vi6xlacymhyPVPoam1wqmKnoeM05CFYVQA0TYaSo0h1rrZxvDQrCa/HMpI0pTjDeTAxvM0B3ZgiuAdXK+XmfcuWITFhM1GbACdAgzkmtpEcyxC/YdP5kmyCpAxPG/bncY3Voupdi0zdmXEzURA3m3/fdzsMM1HT4G/TmExIHzZSO1o0045CGiOQAw9iBZJNuZnnuKusRQQ1VvtQ3c3ITZQyRjiuAnWw13ZlZBhsBIahu5SJth06AR0tKHUJ9gsiwBBQy5VSlGTGOFJUAXebA/OFslGLqALsrBOTR3xRfWU7m6hNgFcqwKb67JFMmwYTGwNgo28bquuupJgvuhQaYduvfajAyFBDr6JnbK/bPthRVCEXUTQ2wd6QQHr092qyc0uUDZ5QVVDS2kg2rmZC+sBpgaTRhkSsBrs0T32nDd58FVmfz9quJoxdqwi6cJxOsK9ZHQmbVTpms9xd7p4EqgBbNpXm5+RGRltCoKrnv9KUxCKmzMwAcgsGjzQk7N3p71a2OYhQX0sT9Zi6qijSSMVGfHVtzC5RRz0LUOU93MK0aTCxDWf16fmxaAfAzI3cXUAFRlkWNZatkm8ypmpXxbR9MKNIZcyBPEgwv2+TKAT65DybLIrcFGWCv+J8KyQ9kPRR8zakDxxdWaUSUd0jah/jXClXNUBwZg3wDX56hnZND6CS64HuBnubKB1V57Lvu/l+76TI88moC8VeyWjTYapIAvQx/RXWxSlqtL3+1pFgo11d4QQwMXabgy2rk6CJmqq6yCvXDxWuVD2RbQDyJGobYKOR4FuYNg0mtoHVpxGFK+pyhLTOCKFgSgmslGdREYXdtH2wo+gm18o1kx63WRSZKfSsgcnOTVE2eCSlTbKaZq7YkN57/vPfx4P21uIRJSsNEcCViDDGDGAMGyhhQ8bAVTPozdvZ9orricgo1RcgKtUJqgqMi0iW2NBqsdpcUWcOgYktIU7KRyGZBlQAQdAX737EWTvPc+CQxNaHJzHX5Z0kK8b8EXuyUc8DbPkWpk2DiW1Gyxo9ddqKVGV8xaspTV3/s1KRdclN4rCjWEWdYLRWO2636lvTdHZuizLBm4HzA490xYb03rN/dzlo3xxzqaoSKiPFk6lfVTjRhjjczV97UOkcImdKbznoO6/IN4uGqLF1e/PKFSKajB/DWSJmN7qpa+V60vUINgeJFSbqxnZep1zIODO7mKhNgMddIGMeYe7MJZUi7AozOwZsAwc+5sJ0FGdzoBQygzyJwmU/MJtVdg6IMpuPOBvSR2azqsEd1QxjJl+jKQBGoIxoq4H1zCTVKec6z5SO/LPa7KpOx/gjSBOnw5LmyGgrzY0jpaGtelOGXt00xolOJBVwZ+IezCDHWmwOtEZ4E7XUEZUbcapy3EbWRuChs41aB3h0s2nTYGK7MtGnbwGjwqtrhOQb274PoXNQYnhsDnozidg49MC5ntXMoEPX4zaJgprYm3zfWUk7IMoEf2SzDekjsFuY77aB1eWSstjU7dSm8ymAICUo86anj+plENSzrYnSyW4CTNAnZ6YJQPFktOmzJLzR1vSJX0XBdAOGqpysY4gYP7c50A+vbNRe9K2toEbSD9xUoQPFRm0D5H5wN3WHp2PTGH3m4duVyWPEbE6uvtq8154p1OluJg47itE0gVCFp8btyENJr45kh+GWKBs8RO9W1W7U2Ib0gXPs7H/F0UvQPkYUoSWFRwvr6t9RvE7E5Sh3d+vq/bLTf07/eY2Rxfbv6r95u6reA7o8vo4GA36pwHCGgI1aPo4D39ARBGKld70cnmmEYbpOKPq+CNyT8Ig3ZHRxpNntqsKmEYbpOvHidwkUIWqdTiQAjVCRVfMGs5Amd/QQ7frXPSqyHCl02whDZLI2cOOpdtXoQvCyhjZsHlG5afOGUeW9B6pVlW3AZpY7pj5Zp5VRAZ5Ud82ku04Y5tpzD/TCJhIhTWATHCsJkom4Gcok8updFQ3r9bcnjTB01wnNXLtudPGiBEft4SmkBhyBUkVPHkA0S+NPF/g3Js10nTgE0gsToud3DnzIze9b+z4BTjFphGG7ThxzL3ekKFTzhiMkxCte33wGV2XaoWLaCMN0nTiA3vxCJ43d2DZvuO0mHUrJ9nMonSg2mK+AboRhu04wwi1MM4xVta4pLym4Ot9kQaE/uHW1vvenMayr98tO/zn950SWh6Pc3x/k7bfran3vV8ZovK54YnsKlwFDqmDNDrSolwzcl42rNZBmm9Qu90B7d04tcbqtAVxnolJ1qwsGqhs0JqkNPdoVSQUARM2N3R0pfFYrLwe1QGrnReByHT+KYNpQne+7pUeq1aBqFmFQWkePg4AKCFmTRq5l2hBf0Pz/8aDdDza46yezFDORZIuM484I5hJOejSLd0cIhc6aBsQRBJDp5cw3l6N2p1R1zoWeAdeKKloeQgKiwhOVyW8M7ztT7GkVrOe2S0/PQWmOlJVqCdgsnIg8kuphIbIKCOjuKeTmfG20YXbzmWwTi1qd+cA9DBeRxhl5Gaw/2TI9BV+BKw0Amj7PTppYeN0csRfV9aKl8V8Byrpa1/TUirv7Z35f43JZFbwPdvrP6T8fGX7+9Wrix//Q/OPfn60lvvrzXzVvfvnvrz9fR3zxg7/85o213/zsz39ZRvb7X/z9zSeF9gY=)
> 
> **Figure: `efi.bin` file generated with OSTree support**

## Signing

Secure boot is a feature in the UEFI standard, but it’s not enabled by default in Qualcomm Linux.
When enabled, secure boot adds a layer of protection to the preboot process by maintaining a cryptographically
signed list of binaries that are run at device bootup, if successfully authenticated. This ensures that the device’s
boot firmware and Linux OS boot components, such as the boot manager, kernel, and initramfs, haven’t been tampered with.

UEFI secure boot uses a digital signature to validate the
authenticity and integrity of the binary code that it loads. The UEFI secure
variables store all the keys. Achieving UEFI secure boot involves using
the platform key (PK), key exchange key (KEK), database (DB),
and forbidden signatures database (DBX).

Using secure boot requires the keys PK, KEK, and DB. While
multiple KEK, DB, and DBX are allowed, only one PK is allowed.

Enabling UEFI secure boot requires registering the PK in the system.
Qualcomm recommends provisioning PK at the last step of the secure boot
enabling process. For more information about how Qualcomm has implemented
the UEFI secure boot feature, see [Secure
boot](https://docs.qualcomm.com/bundle/publicresource/topics/80-80022-11/features.html#secure-boot).

### Host tool `signing_tool.py` to sign Linux OS images generated by Qualcomm Linux builds

Enabling UEFI secure boot requires signing the EFI and DTB images.
Use the `signing_tool.py` host signing tool to streamline this process.
This command-line Python script runs on a Linux host computer (Ubuntu 20.04 or later versions).
It automates the signing of EFI and DTB images in two separate operations.

The host signing tool is available for download on [GitHub](https://github.com/quic/host-signing-tool).

The host signing tool runs on a Linux machine with Python3 installed.
It can sign either the EFI image or the DTB image in a single
operation. To sign both the EFI and DTB images, you must invoke
the tool twice with different inputs.

![../../_images/host_tool_design_wbg.png](data:image/png;base64,UklGRtgPAABXRUJQVlA4TMwPAAAvzQFNEKfiuG0jSSrZdcyZf5ozu//pNBy2kaRI3dXHfPknSc/oMJIkp9nZc3jIP0iVIgCDbCMV4RBO4Yjen+IjJCG9E7JITsAQhoEh7OwOCjCEddWmHlmkLJIpCmQAqixHtxGWRXKCKVna1GNvV52NypddVMCxrVlMPVKr7tBVO/tdlYXvmDa5lCwSn3GtzQnr1e7xIX++PwspISWkhNSQ2rUvFBwIqzQMEAEMEAwAFgEABgiGABbAs/2t/2d90//68/1ewLBtm9RGrubNSkXhQBbQ4QQxJJQGUEcMTM+SvWzLy7gt+4XA//8zQgihQoazdUT/J+CLz6z87vtZ9rve/vZxpv1bTz98/PiPf86w//j48S/9/PXjvzjL/uvjX/v69zzz78/+++y//0vveXerLv/u4XUmeLtTunyeB+6UPj/NAc9Kqcc9L/7t061St3PATqlHavH1RqmXGeBGqb0e+KDU0wyglKImnz777382FRYuMZgtagOXGcwVES71AioX3gS2BHwOvjCAogcpgFUPQpIVJLmyyQqyD8+bkhwgGx4dIDttZeZsbK+fVs9j3/NEg5RkjIaUgNuQtmvaKQCbFSQFgLyCJCsX8EjGJkTMCgAqVh7gzQlSkGQVNpR2Rc8mbbsiKSRb6Hlki+2yskNukTJFTnoeSddjZYdTVZFl0dEsKwZ1KGJyi4Z2yH62aMhcsiFJIdu2aEhpTk/lJnIWOHnhRJt6ODla8/6kYLs0ARyROBQT0yZY4IwLf1MOoAqbHFu2ni1FTIpjghOiJpIlOhqOE0StgeMYbYfLpOwvR0oyRkMhz7RFQ+aSoc0uW2wnpgjtVpBkPDlLAqsFWPTHlZmzsT0yFDljszpihifRdlnZK8Yi5wqSXNkkbbviyp2QFgAW/qZk/5tgAQBJf5QAJEmGgJ3ySAxxUuMCK5IrIDRDshHIWbmA20xItR8UPHsRWH59hulYDwP/f299/dvfOSM98WzKvj5gtKeOIju9WwKr7OnbD3/ORnnySNCjf6SOotIBsk2U9KHUE0d56iiNPoy6LQP+4xfAbwBnNmHh9Fiww9EZ5bz/eeSnxRyU4OcA1hYAWOXsU+AwYmkAwHL2oY+fAEbhA4BRzD/kf6H9pzXbZ5AyOrHsVOD4csoRclRKCydaZZcMMAD8DHCuFc8+SJH34XmaazzAjMkK8rqgf446iorfANk6SqYH0yVTxBzi2HAddS95agCjZsdrJncBSbJyAY8VAFQ6y5GS9FxWkGQq4HoeaYcuREoyNmGmJCXgjc7Zg4JXUSVC5qYkXZeVGZKeR61XImTrQSNC5uLAzLkyya3IKUXFFCklrowTrw+055QmSSlIU5Kx1B9TYYfVEWmS9A5CMkVFd0VSxHRXJMWUYpNkipyeS3KLnBJuSI4AKT14bZ57ksChpCnHZfOu8I6QoYd0FMjKXLWsepBsHZUAMDbZ0NcA6itFmiSlYBVW5MrWnxQkubJbpHmS67a5qxFJcKELXimVCNmYIWl6pOuRK1tvlemRuRm2VCJkLjqlkMzNLVOklBgJ+pdhFNcKcxuQJHMXcCuyEch1xsYDINnCVMC1OzEWEJKkBDxzLJgsneEHNa+Lq9Jd8fIv7cInhcbMmSKdjRibEDHnI23+Ly2hmGMk2tPxCcUkRTJFzl7nntiEGZOsPMCr2ioX8HQWui4QxwJ2Q1ICdk5SAp4tycoDPJK5DcjJJUXKGFvSdlm5bpvrsjJDnYmcEjZpe6Q0G4YmGSOlhCRdj5UdkkJyi3SKWODERTfXI+m53CInc2xbTEnGUmc2WSEmQ5NsSObI6XokheQWDSlNNtiSUmO3Sn3SxJ1SzyOTnbLpJiRJKSgFSQrZIuGG1HWXlAwFyRAAcgrZJnEoSA8rycFewoNSd29aeFZKvY4MnW4OB0CGHtKxCM2cOXKaxwSPNqFrNvraK6VuHp4uf6eUuufY1t2KE1yPpOdyi5zMsT2owopc2WNhh2xxvbYtti25JGmG+uKz0ubd2+gw6OLzhBQpU6Sk7ZKuzQOaHul6Y7Gyq8pFzhQpJSRp2xVXLnNINqbUGJ9vNLF74/iWxjGjPIWxgBmTrFzAq9pyF3CrsahcCImUlIAnJFm5gNuQsQmE1Bn58qTB51eO8vrYmtetiHmhl3LNW20LXq+xWzEU1VSStWVXDCVg55xKuDxw+F59h9UH9XzECAg4Lbw+7TT48Kyrl8fduf/+y1/+fXfuxxddPT/sNPi0186j0uTtXkdvOzXAr75SA9y96Wh/qzT5qJkHpc2bvQaEPOHtTmnz7k0/+xulzQetvCilds8vl/94o9SuLbQPPK+HCnJoT0qph08vF//pQSn1qJ+dUurx5fKfd0qpTzq5V+qeWtwrpfbnGuJJN0o9UYs/KnWjnb1S6oVavFfqXic3Su31wHulfjylgjRhN2TlAh5ZQZKNDXMlSDt0IVKSsQkzJSkB75RXpRQ1eaPUXjfPSu2ox71SNzpRSlGTT0o9neZWtFek67IywzbbZWUfmDlXJrkVOaWomCKlxAkvSu10sVPqRTdPSj1pgkqpqyklQ5s0JRnLli1yUh6EZIqK7oqkiOmuSIp5RMINyRYpeIrAoaQp5xMy9JC2xD1Its4X0jwwVx2qsCJXdssW+Smu2+au5opGrEiJbQeaHul6LbRdVnanFJK5uWWKlBJzBHMXsFN2yV3ArdoaG6bXibGAkCQl4JmzxAClyWHOInbMxgzno9wFQr5r6sg5c5C9Kwbdx3qBgS7WI5ZggMFUEGDAwWjVGORmXIqsa3lVFBh0MVYBAD876xqAMybZAp2N6JqIACQcZAIgGisH8HnmBMCIJDjZGl6KXGMBBxqMW3YujkptAHCOWwAQXBXRUKLJIACMgh0zC0B2CakIgVVuQ6QkYxMiJpkKuJ5HUgJuQ+Y2IKctB0jY3QIW5SVAcgvRcGWSW6RMkbMRIXPhkdKu6NmkkNwinbqyEwoAxvoSKtJekSkaNiQpJKVJ0vNIEZNbNA22pHwv+H4PdbAAnOTKYAQAC6fHoB5AeJCT0gQg6bltOVpzelhJnvMcRVZfG2tgfVJhoHV5ZdBH30YymBQxKSRXHbZsb0LXbC7CgVFcGREQnVIbOBpcGUwWPQHZUEKbLdJso5AtuSRphhcCo7h2fMBIWC8B1FcGyazHxAAWQ4lFzhUkKxEyFx4ZipyxWeWQbEx5EYUBGMWVYwAJSTpAdH30WgAoBsIVEJohmQq4tkcyBOyUjE0g5EWwMACjuG4A8DC6lugAWT/ndlc8b1YPhIUBGPXYbMqhlQfB+6Uxc6ZIzxQhKofBBEA0No6RDGkB+CRLA0jeKYxNiJhng5EMojAAox4dwMqGEwFYJmsDMMr3yiAjAHCy8xUGYBQcIWBZD4UWjiZ87wF+fabCAIyC4wQjKgdSOi1Gwo5Z8V6DEZVncQCj4FgBi2QYZBY5/rrk0cwBgGXxPgMWm/MYBUcMcLJhnOjjaHItffPlHyMNOh2A33/dX5HVHNiHL/8UafDXHYA/fDs0H92vog/Q8Ifezt/Dl9Dvr74Zlg9gEZV1YFxP33z5x0iDTqfff60GEDjHk/N8+PJPkQZ/3ekP36pB+QCskiRL62pS6okajDosNi9qAAG6bs6i1As16HRwsic1KB+AVbK1tN5lRlRyEEkXoxiPRUIOywdglTxavsf8mhwGi+x4zbEwopID8wFYJTu+v5yMh8PoW2vLmodD8gFYJd9vRsL2q8TK2D4gH4BV8v0WlbxejITHh+MDsEq+27KaHa+PTcnh+QCsku+37tdH96H4AKyS8866gw/AKnlqMav4AJIjPgCr5KmFAVjzSYJBRvMJ/SFY5YzCaHGuRVRyVJLBLKaK4estAoxiID6AcvaoDQDOIBcAAs4eTDBgqxyhYCjB+GwA5zphthhMUHKEkAwjwfgUALLrhCyyYZY8dQwKDLoYGToAgk125rG61DFgMKSAY1MYGKA/NXC9GMpizdFhsRiAUU8NlzsKZBI45y44q1zsZ17dKrXXxL1SP+rmVakbXdwotdfNs1L3mtgrdaOTe6Xu9bBXSu11wxulnvTwo1I31O1eKfWih3ul7nXyopTaPb9c/uONUjtq90kpdf/p5eI/PSilHrXDnVLq8eXyn3dKqU864YPS5s1eP293Spt3b/rZ3yhtPlArfNTF7Z4aftsN4auvhrB7o4b3t7p4pGb4+rTT4MMzNf3yuDv333/5y7/vzv34Qk0/P+w0+LSndq78CAj4bn2H1QBQz0fLA2c2ytCazUVW22JaeHnS4I+v47TG0fWE8Hyj9Lh7G6HSOGaUk8Gz0ubt2/gE6OhPBXul1M3j0+XfKaXuR6dG52IieFDq7o06fFZKvY6N082ZCG6V+kQ93in1PDIZTtxMA0opavJJqaeRWZyymHuOAny/fl5WkUVRlBXzUOEbaDf8bPYpHHR3inlnjVbHj3znAIjmHB8AnA3bNw4A+OfwbJIx5FzhA1hk7JotAPhn2kJyplgDWJbsXi4BRGfJRUiSsQkzZYotuTLJEHCbqa8GsOTpSwDFGRrTI8mtyClFRTMkTUlpVnTtqc8BFmUP5QJw+jNtVAfuiqSIGZrcIufKJfNw4isAZOwzA1D0Btd0DwQOJXPk0iRzYYcNJ74AcNivA/i9mdUW8kCy3ZSuJEkZIpz4FsDm2MYC/PLIBlj0ZpMSW9J1j0gTW1LmZIxq0qsB8OgGh1bZRgD1GeiaFVNI5uaWbGCS9OyKoclJLwOcY4sWrI84QHaOynTJWEBIkjRDkpUH2Pm0t+kEYG0B/pElsO6pV7GlxieVCIg6LQ0gOBIB0WCkzZlgAzjHHLRujiyBZCjCzOeCDLCOFcaBz6MOkA1F95NKDaA8wjpwlgmPlgDq2aUEkB07MQEWnFtKC0DZkwMEc0tpAUjYbwagPuXbD3/ORnk6KS0ACfstF4DDUz5gtCeS0gKQsN/SAoz6pK9/+ztnpKeR0gKQsN/SArDmSUo9cWrWSWkBSNjvxgDgc1YpLQAJu5ZZ2VImDgD4nFVKC0DCrgkAy3EcC4dGwlmltAAk7LpGd7/mrFJaABIerdeBga6LoGa/80VpAUh4NEGrVZbZYcneZ4vSApDwaI3WZcmzzxWlBSDh8TWAYF1wgHOFBSBhxwgIOMyZYg0g4QnRnOMASx4tsyyzZh4D2BxJDLQmcw4AttdodzgPRQAcZ5lwPgo45Dkkmn8MYJ21WrPQEp2L+afotOT8w2LpHI04B13uZ//NQzdKvWriYR7YKfWoh9cbpV5mgGel1OP+8t4+3Sp1yxmAd0qfn2aBtzttPHMWIJ93txrYPbxyLpgxP/vvs//+z7l/zTP/6uuHjx//8c8Z9h8fP/6lny/+9nGm/dsXfX/3/Sz73RefWQk=)

**Figure: Linux machine with OpenSSL and sbsign**

The host tool expects unsigned EFI or DTB files, along with
certificates and keys, as input. After invoking, the tool unpacks the
unsigned image, signs the available items using the provided key and
certificate, and then repacks the images, replacing the unsigned
version with the signed one.

### Prerequisites

To run this tool, install the following on the Linux host computer:

- OpenSSL, sbsign, and mtools utilities
- Python3
- pip, subprocess, shlex, socket, glob, and shutil Python modules

### Configure the host signing tool

You must configure the host signing tool before starting the
operation.

The host tool requires providing the necessary information in a `config.ini` configuration file. The tool reads this file and
signs the image accordingly. The following code snippet shows the variables in the configuration file:

#### `config.ini` file

[common]
    # Section - 1: Common Selection
    # Select operation: sign_image
    operation = sign_image
    # Possible values for file_path are 1. remote or 2. local
    file_path = local
    # If file_path == remote
    local_machine_private_key_path = /usr2/<user_name_for_machine>/.ssh/id_rsa
    
    # Section - 2: operation == sign_image related common selection
    # Possible values for image_type are 1. efi or 2. dtb
    image_type = efi
    # This option is required if operation == sign_image & image_type == efi
    loader_conf_timeout = 20
    
    # Below options are required to fetch file from remote Linux machine in the same network (that is if file_path == remote)
    
    # This option is useful if operation == sign_image & image_type == efi
    [efi_config]
    efi_remote_hostname = <remotemachine_ip_or_hostname_where_efi.bin_available>
    efi_remote_username = <username_on_remote_machine_where_efi.bin_available>
    efi_remote_filepath = <full_path_of_efi.bin_file_on_remotemachine>
    
    # This option is useful if operation == sign_image. Both image_type requires this option
    [keys_config]
    keys_remote_hostname = <remotemachine_ip_or_hostname_where_keys_available>
    keys_remote_username = <username_on_remote_machine_where_keys_available>
    keys_remote_filepath = <full_path_of_keys_directory_on_remotemachine>
    
    # This option is useful if operation == sign_image & image_type == dtb
    [dtb_config]
    dtb_remote_hostname = <remotemachine_ip_or_hostname_where_dtb_available>
    dtb_remote_username = <username_on_remote_machine_where_dtb_available>
    dtb_remote_filepath = <full_path_of_dtb_on_remotemachine>
    Copy to clipboard

Table : Variables in config.ini file

| Variable in config.ini | Values | Description |
| --- | --- | --- |
| `operation` | `sign_image` | Use this configuration to select signing of the image. |
| `image_type` | `efi/dtb` | If `operation == sign_image`, use this configuration to select `efi` or `dtb` to sign separately. |
| `file_path` | `local/remote` | <ul class="simple"><br><li><p>local: Keys and efi.bin/dtb.bin are present in the same path as the script.</p></li><br><li><p>remote: Copy efi.bin/dtb.bin and the keys from a remote Linux machine to the current path.</p></li><br></ul> |
| `local_machine_private_key_path` | `<path of id_rsa file in local machine>` | This file establishes an SSH connection with a remote machine if `file_path = remote`. |
| `loader_conf_timeout` | `<timeout in seconds>` | The systemd-boot wait time to let you choose to authenticate the binaries. This option is required to sign `efi.bin`. |
| `efi/keys/dtb_remote_hostname` | `<ip or hostname of the remote Linux machine>` | If `file_path = remote`, then the host tool selects the host name of the remote machine to copy the `efi/keys/dtb` file from the remote machine using SCP. |
| `efi/keys/dtb_remote_username` | `<username_on_remote_machine>` | If `file_path = remote`, then the host tool selects the user name of the remote machine to copy the `efi/keys/dtb` file from the remote machine using SCP, provided the username is created on the remote machine. |
| `efi/keys/dtb_remote_filepath` | `<full_path_of_file_on_remote_machine>` | If `file_path = remote`, then the host tool selects the path of a `efi/key/dtb` file on the remote machine to copy that file from the remote machine using SCP. |

To configure the host signing tool using the `config.ini` file, do the following:

1. Set the `operation` variable to specify which operation must be performed. The option is `sign_image`.
2. If you select `operation == sign_image`, specify which image to sign by setting the `image_type` variable. The options are either `efi` or `dtb`.
3. Indicate the location of the unsigned EFI and DTB image, keys, and certificates using the `file_path` variable.

    - If you select `local` in the configuration file, copy the EFI and DTB image, keys, and certificate files manually to the local working directory:

        1. Create an `unsigned_binaries` directory in the same path as the script, and then copy the `efi.bin` and `dtb.bin` image into that directory.
        2. Create a `keys` directory in the same path as the script and then copy the `db.auth`, `db.crt`, `db.key`, `KEK.auth`, and `PK.auth` files into that directory.
    - If you want the script to copy the required files automatically from a remote Linux machine on the same network, select `remote` in the configuration file.
In the configuration file, provide information for the following variables:

        - `local_machine_private_key_path` (mandatory)
        - `[efi_config]` section (if `operation` is `sign_image` and if `image_type` is `efi`)
        - `[keys_config]` section (if `operation` is `sign_image`)
        - `[dtb_config]` section (if `operation` is `sign_image` and if `image_type` is `dtb`)

Note

The script supports copying from another Linux machine over SCP within the same network.
4. When `image_type` is set to efi in the configuration file, update the `loader_conf_timeout` variable.
5. If you missed any configuration information, the script runs and prompts you for the missing details through the command line.

### Run host signing tool

1. After completing the code build process and obtaining the unsigned `efi.bin` and `dtb.bin` images, run the host signing tool.
2. Store the host signing tool files (`signing_tool.py` and `config.ini`) on a Linux machine. Ensure that both the files are in the same working directory.
3. Set up the host signing tool according to the configuration instructions.
4. Run the following command to launch the host tool from the command line: `$python3 signing_tool.py`
The host signing tool displays your selections and operational commands on the screen. It also displays errors in the command line.
After the tool completes its process, it creates a directory called `signed_binaries` in the same working directory. The signed `efi.bin` or `dtb.bin` image is stored in the directory. The tool deletes other user-created directories after signing.
5. Follow this process twice, once for `efi.bin` and once for `dtb.bin`. After each signing operation, delete the `signed_binaries` directory before starting a new operation.

### Host signing tool workflow

The following figure shows the workflow of the host signing tool:

![../../_images/host_tool_workflow.png](data:image/png;base64,UklGRnwYAABXRUJQVlA4TG8YAAAv/4GWEDfDOJKkNosH+aCUfy564e6Wp1Jg2LaNo/h7zw31+6/Sa+6dcxBJkiL1MTMZOv8azgA/w3QraNuGMX+y3QHQhAAEXUlm/CGJLkYCwg+6GPGIORY+bOYQcwE/6kQKnUihk1LoRBJdIHgICkEhmB+fFbHwxAZc7vPdw7ed+tIwcNXLANQuAqQ/hnSM74+EYUYjSDQSQX4zP1HS/IQUZg+KB00P8saCj1aC/phmN81umt2178YNq9KUNv2CdRoWK39C/vSE2lFPXPP2hFrOR3n8urXyhNo7z26tGDhurRimTOawucMXjtx5bq08oUZR3LaNY+6/dq6Xd0RMQPZGgnmBrLTsB1kEZ4X8rN4REl1J0NNs5GfhQSKQfl3NkXKTn1Qu0J52podt+9u27f8v4N2FtOpu1b0Xw0jKmxat9ysKjeg9zFf3MN/227TUqfj5PwfTJglAIF9diuj/BPhRZNu2bdu2IAlZKEHJFKFUCmQqhUqmSAUPwJJ2/GNSa6vtM/roYzbYQkT/J+DWHoGfvve2mL/zwWdtvDcW9dc/avbuePziM09J+dOvjMcfNfl4PH4akv7C+PXPGrwzfh6y/sr4wwZvjB8XtmfH7zYYjyHsT43f/rtWi4IDl/TAlXH40sCVBxDv/Sc4x9F9cartxtBBGCzFjbAPSeU36Hy6/x07VhTVyVBWSWMpIKSaVEmD1aT2YCuqE1aT2oKsUvBBFEUHouOLup0Ig1OUSS8QBnhj1X7li7pBdZY7WHDoPh9FRyw6A3p9YgKpvDg0IcrVgF45lJA6pg4IkaJLehA6270wAAuatoAlqpckHxmPX8DsXh5KVO3cOHQ8dyghdWQA5UCSdlsXW13Lley2oNbF5veoDl5JBbMc8sPovhRRFaflstCAqmC55POJ5VJbsBepM/M/ontSs6v/ft5xdCg9S/GC6i8K+0p99NepSz5ZCgip1aC3JgXUxrCQHBgmb+1UJQ3SpQBWk9qx6ERZeL3YNQgFXTu75oU2pu1M66RdEAbLOlkCqrP8juhsDtkvvAEW9ApL42pB7UQB2p0oQBiHEjJ6IDlptU8uLN7Q/JnmwKEMA3jiUHIguvpFecf2XPseRcKudfL2hijPRAHCOJSQ0QPJaXXRC6ehQehFyzppV7stlnVm6VAd/C5LzmpSzQtCavYihsnrFVVBVimA5VI7Fp3nbef1vl39iEKx+6Lbes0sydD4dhFSTV68F9nO1+tvuufKMoBWA1dShM9s4MJonnn258y3Iwxd/lXo6Xv/7f2399/+YFVZlqosyzOxm6r6SuxQ1mwhd5P1lang4UwpVULy8JNaT2SvUmeQPXyvhY/YaNEjZjZa8IivGi12xPVGCx3x9UaLHPFNjRY44psbLW7ETY0WNuLmRosacZtGCxpxu0aLGXHbRgsZcftGixhxl0YLGHG3RosXcddGCxdx90aLFrGNRgsWsZ1GixWxrUYLFbG9RosUsc1GCxSx3UaLE7HtRgsTsf1GixKxi0YLErGbRosRsatGCxGxu0aLELHLRgsQcZdL8S42WnyIb/7wnlT29xxFRzdjo4WHuOHtOzC0fxQbLTrEDY+i+0Bz2IvKuNqLyoDlUqNHUXTQgI0WHOKmyzqXhyVh63RYEraozqqdVPK00WJD3HxY7QvwDbD95Btg+6EJGa9ho4WGuNVoamA6x8l0jjAuX8NGiwxx26tsWHC+CM5vYqMFhrjNMICt4n7D/eLQhIyXsdHiQtzqKg2ydIaCLMdpKMhyUJ1VN6bGa9hoYSFueTZJAewmC07sJguYLm3ApvYaNlpUiH1stKAQ+9loMSH2tdFCQuxvo0WE2OdGCwix340WD2LfGy0cxP43WjSIO+/2QWEvYqMFg9irr2OjxYK46fG9KPLFUhTVedGNYV3assoGEFJNwKVQQkg+T1XSIO9E0WEjNlooiBvfucPsjSVf1O2GgkM22QpEmfQCW5k0JVEXrZ4Ig2UHfHT7sBEbLRLEzR8ycxhLA3q9s6BuMDSZQCqxgFRiOxyaj6Iw8+ETzdjooWWrduCv3Ma9KNLL+imhS1KmjovUZT5qzswPoqNm/Ivahf2iwg6kFu7eOeZ4Vy9JKueNg8cXrS3CLhxeQI2Oo/vcXe2csLjA4okozHz4BDcmyASoCd++x0flXVtdy5X0MmlKuiV7WafdFssO+OHtg0YEqQA1Obod3e223rNcFhrg0qaELtXBZVWQd6PokJsS5ALUwPpDk48kSAbImW0Dr3wkQTZArqwm+foIgnSAHPlcgnyAvEaQEJDHCDIC8hZBSkCWdPs0gpyA7Ph4gqSAulkuNegGs6psxlIU1fkegqyAOnFnlX5RnVVPvqjbWwjSAuqiBOxxOpQQpwG9voMgL6AOQt7hFMaHECQG1B70pnHaP4UgM6C2Vl+w1dOh/AiC1IBaojTwdqI6q76NIDegltIlXxezqrR3ESQH1M7TUXgrQXZAXdWdWfpbCNID6ihd6ryTID+gbt5OkCCQQwQZAjlDkCKQIwQ5AjlBkCSQAwRZAllHkCaQZQR5AllFkCiQRQSZAllDkCqQJQS5AllBkCyQBQTZAnVGkC5QRwT5AnVCkDBQBwQZA7VGkDJQSwQ5A7VCkDRQCwRZAzUiSBuoAUHeQDciSBzoBgSZA11DkDpQDUHuQMxMkDwQE2QPKaQvZPf+2/vv72RdlGX542VZng0qVVmWqizL814wWavaalCZqvqLXoDTmi2G1bLmBP0AmyvTgWWyVkqtJ32hUkqV8GWWh+5CewJnSqlT9AU8UuuJLzIO34Uv8JPaoD9M1Rl8mQdQ4Y1KVf1Ax/Msy7/JF1kWj/oR+2AUz7Ms/zpfZFk8Cjqd0opvXizno8FjlC4LvnmxTEeBNltyuybVQ0a65HbzNMDSFbdfZHqg0NmK2y8yHVazFXdbZINEWnC3RRpQoyV3v4oHhyTn7k0SSrOCrcwGhnnBVs7DaMG25npIILaVdAAR22tGg4E2bK/RoaNztrlIBgJt2GajA2fJdhd6ENCG7TY6aIhtN3oIyNl2EzJztn85ACzYfgqXhF3Met+MXZyFijZOcNLzdOFEoQMlYzfznkfs5jJMRuxq2utidjUOEnJmtQuWq33GUD5aGje6/Vy5M3mIjNjd1BuheWrliW6wVT6x22uW4rQUpPLHidndOEDIoZU3lsXJ4olzax8Brzl34/wTLR3Kw0MXDvHMF7QK7JqsJjXoxbW6YZLSAnblaTXJFyXgUBJSTeh2sZrki6XN5JOlOC1Fl9S7AaX9FCN2eRQcKbtM3hia4A7eWLXTLaEbtAZbhc05u4M3NocoRJn0csMdvLHk4PUWqWRqMHX8FHOnFsGxdKrwBiVYtnNoQhR65c7QxOJiAmEcmpRgAql8NIEwlgYcmk9RN6LwUxinVsHBbs+8sVV2g9DZnqHEoXnVJBmUfSqhS7rVJD2YOp6Lgm8/xYjdHgVG7NjCG4fSNwjj8pnNw7msvgiD7lGglyTvVF/EjfHc1GHHT5E6Ng+MzLG8u3I7tYOy6YBDx0sOK3GxNLg4zANq59bS4Mah+RxejI+YXJbdkWMUGMuWUpeZusylaIktUKqcWBEqALUuNn+KonlBaWQxoChhq2v5DUojy8nXqs6tqQHs2j6iXCsL8jaapBKQuu6YJG0vMYFhWhucU4PzG0Y2qPWZDVNxWi75fG6rXGdR7bagF2C5LDQeZVHttpa6ydc9NjWYGh9QbZSygVupMMoGsBQA1mGW/goODHYttkKpn6ru3uzx4A8/jLdNt+qqO6SOZ2jtJaNe8b+yrKnK8/9d/O+yptrWKPXo3y4dtn4G7+/6/ETVb6uas/Lq9Mq0vHpWc1b+0B4lnkmLl8RBods7d1LneMe31mxdatr5CVO+3nbpgdpuSVLl1xO3NzinBuc3ZOi6rNlUyB36i+JiW1Oi69iWDrNu/wmsT4FAAs43jpX+DGG/ntEuOJkgoDAp1y4dOn5fcG4GYFI+6mJ7gVqbdin/jNaudimBofwjgOllF9uTSSejbDwzS/u9XY4PiIHzjdp2MMG1Fk3tvH8p3jC1Q/U/CJh0odangG5HUgnuSdLGS5OwWLX0wcnFVqlObmhRKj/gxQ9SyflP6nKrlNpUaOWzERa5Y59fqqs/lhZasJrUFiGpnYaaBntRGTCrymakBvTKUtCLa60mNWCYvF6EpEZtVyH5hN1Uxgecld3/qK4++q9jq8DIHPuXT6qz3CGVXAUcloQtqrPqU5bgjVU7yzppF6SSR1EXrXLoIGz9HNv/OLYMjJljhGqrlNrCwu4OJaSOWwt8A2w/lBBPVTg0IQpRgPYK2+HQ3A3WwcPuYOFWKbU5x9yxLDC0YymAs7UfwgAsnjGdI4wXhc7G5i9KXeaq1gdbaMe6BJA4lgQGjFsaACalz4Lz/jrj8g0H16OXO364nODqyqkCoTF3aon6iQ8OJaSOZ9wvDuXFeurQcRHlRVhc7DvM6L4PpqhfOEXBMXIqvcbK7qgOXnlmKMhyUJ1VDcrGLHeodbE5yzppr+iW7GWFJSM68sH1iVNxcGDpUKG9slxq6yl2kwXMqtIMhqn6reWSTxhF7q+gS3VASPZP9gmMQyuER+xQBq98YBg/vVWpQ2mAIHem0D0OK2dWCJHYmQx9LnUmDRIsHSn0rvkL2oXcEYMwGRVuzNDvEkeSQEHqxBI9D5kTGUIF5MBK9z7kDhiEizbWFQn6n15ZV+iAgTa2xRgAkBSWFQlCBklhV4pBAElhVZEgbJAYi4oUAwGSwqIiQehAG2uKBIMBEmONSRA+wMISozEgQC8tWWoEEWaFDRkc7S3AvLCgmMOjnoNedJYnGBwwos6WI4QTMKJO8hju9hkgzjvJY/jVf8BoUbS1jOFyvwESKloqKIFvdwGAGa2aLVMNt/sOoFMqGhXLVMO/OwLAKM2WueEvP1/l+WKewP3+czVJszw3/BWv8jxLE/h5d1y7reDLfnStgtfDjQJoOXDpPHhMMnABOvasij2bwKODhXcVwnUo24pfyP5ZViV+6i//SvEL2T/LqsRP/eVfKX4h+2dZlfipv/yrxC9k/yyrlLyqLMtSlWVZngndVF1/LnQ4uWYLqZus66Zih9OaE8gdflJKrSeSVymlTiF5eKR+guxNVSVgepl3+V1ucSY2S/bmQmiIPSozGfs0lpiUhS9m4UsK4RsVLHvasPAZFj5i4SMWvpSFL2XhS1j4kkL49IplTxsWvpw9Gk+IDN+4tv8HYKmbPF0KIKSagEuhhJB8XoVUE2p32YBZVZoQNVbRzq4kyqQX2MqkKYm6aPUiyqQXqCXZClRnVSEa0Ass7UwglVhAKrEdDs3TBFJJ7TC0Dk0IQaqngC5JmTouUpd5oku6sxtfqV6SVM4bB497SfL7VTsnLC6wuFE79w7Nr9RW13IlvUyakm7JXtZpq2v5Haqzqjwtl4UGuLQpoUt1cF4uC40b01U2+XnvocmHi9K2gVe+eKtJvr55f+ifuvX6tuVq372t8oGy1doXzOtkLyqD6jAV7KYyLkxSki4FDDWNL1Qri8OSsLXbYjcOHYStE63Bsk6WYCh4rfCEJfgG2L5sxxu7werzRhQgjKH1hTJtgOkctIbtrGp9cH1qDhzK75SaDrDgcrfDAEYvfqt9sypewf0KKw77DlPjRhQgjG/VKhtDQZYDNu0QlgzljWWdWfrXiqGd3WQB7LaAkGznBlml4Dv1fDh/oiStMr57oY3v3h/713BL8YLq37Q/W3q65JOlAJdCSW9NCqiNYSE5EFKr8ZWKsvB6sZVJO2ln17zQxrSdXYPQd2pzyH5hAXmqsDSuFtSON8C+U2m1T06p4w0W3yuIrn6abylfrEjYtZYCizd4+161uuiFUy+T9qqhQeg7tZpU8wKXtlcRUrPv1NOHJq+3/du1beCV1+6+6La+XatJvl5ESDX5dv25f9F0ruovB5VTVV/2Amxr1pNBBZuazaQfXNSUGFbOa87RD3CplNpgYMFWKbVFX5islTrvB8kumSqlLnoDTtUWO3XprRV26om6RH/AZrpbtPHUKtktk81klxH79nP2rUm6AZLYxwk6Tgv27Rfs2SK1KePwzbvaxaOCwzexKA8gDo+YAzjbn2lpvGMpXpTKb0oUqS2WwrLDJwaPrig6ZD54InRCA7zy8v9wWpnMsvFT+6RVIHUsBYTUatBbk+LBZvIJq0ltwWpSW1RJ4yIkTyCkmoBL2ykknyw19X8z60AY3WBWlc1YiqI6fxu9TM6nXYNQ0LWza145eIXqLHeoznKHMDj1MtnKIsqkF+hl0pREXbR64v09pTqXp+qsevJF3X4buLb9gTfAgl5haVwNODQPJaSOQwmp44YFUIIJpBLbIZXYDofm0vhXm9V6Xh1KiNOAXn8dzF7KuLB41dQRBmARBmDxKHUA3qBLUk4dF6nL/IeD0eXzFMbvBgjNU3nDeEde9ZLkvYPzPx3g5bT/biyAqXHy9qpD81BC6jiUkDoeYQGUoHZO2H6BxT/eoQPYtbpxKH8zUQZstk5Dg9BTvlZ1qA5eoTp4hd3WRS+TboutruVKepk0Jd2Svax/N9wnyyvdoDqr/lqIInlyIqRmT3WTL1gutQXLpbaAqjjRJU9YLgsNaFJXQpfq4B+OLqmti1lV2u/ledv56/aVp6Pwo/pq90W39R9U3Zml/4YIqSb/QaVLnV/R37oH/cR/cmHxSb1+saxfDB0f0e0/h5SkNqHpeoUk1fH7evejP7u3DGg2AboBhBZ0W7+Mvch26K1JAYTUnhlKanfZIDWgV0LJobgoLgV0YymK6oR0qcNQ07CAXfnPRvOnUvm7ODQYSrp2dk2GBqFXlGQrN6iN2rjQYGhc+aJuYJ1ZgqGArcLm/Lvt9lQr/C4mgAW9wtLAN8Be0WFo3Uhttq4q4NvVgF5ZAK0xtGBoYvEPN5S3zuOXQRRJd0p8CF3Bnc3vMVzSA0ocmv8ZLAibv4uhHexP2NTv1XvLNmiPNg/nH27XegaL30WvPOHbe9ajQ2Hzjm/3htatw0r8y7nzy9kt2XRnaBB6HWVjlgq14X6lndBxbyrY9Yii+Q/XbD7Vlb8LNqmXfoOQWnmg87g3TNUr3RapuHCXdu6xS97qo63yryapTe5JqoNfxt/Q4x/tpw+pw9Z3r2nnu/eZe65RAK3CIwmhmUXaBE8xCw9k4UOwCIh9+9v/Y89qhGgS+1bFnk1gl3e3FQZYBa/v/bf3395/e//t/fd3L9I8dLOhK+XwXQxceQAV4sd7yrX2jta+S72eWntDKl/U7dv3c8pBWJc2YJi8NtiLbKdL6hCSTxgmr1fdGNalLatswGqSL8ClUEJIPkVFQVqwrJPWODQYSlIJURetsqyTdkfBIZtsBdzBG2xl0pREXbQqKwt6IQrQGhPA4sp2ODSjAO3WgrrB0GQCYWABqcR2OPRQWsLY/Iookq5Sl7n5S/opmU2SkTouUpdHgjO0gz06OL+n+iKMeePgQwe/KKeyXW2FKFe9cgOLiyhvWBqcsLjA4ksybYPQQShIC5Z10hq7JZuCqQHdkr2sZZ20F1EaWQx6mTQl3ZK9HMsH6VIdEGrSBowi9wab1EuHTQ26VAeMIvdXZVHttsClTQldqoMF5HFo8XMemnyuPG0beOW/votyh60m+fq8s4uBqVKbc+v+3leqn1Q1OCm1vQim6aVSg5RSl5MgmpRrNUD8tHX9pxq1/i6Avtio2p+2zveLi8r505rNWW7f0vi81q52KYGh/Cyufqo5rdzvFR6slFLrcgKLhg7CXjR0fMbUDtX/AOB0rZSqELZBdjkFbDq/7P0PUsn5T8DkZID6qcLVrppDGBzKoaySxtJWVOfFcqnBUIJLoaR2lw1YTWrAMHm9CEmN2q5C8gm7qYxPAKbboen6rnYD10EUhpIwWPJF3S7cWaVfbGXSTiXZCnhj1c6yTtoFqeRR1EWrHDoIWx8Rvn1l6sA88O3WgF4vSsAeFxaQpw5D69CEKEQB2itsh0NzN1h9fjEosZe9YuNFIe9wSh1PhM7G5i9KXeaq1gdvH/a6bzE1jBdBbxqn+Zxx+YaD69GLfzUOKwfu/qLVF2z1hMUTh46LKC/C4mLfYWp8MzCDUFzttu5RGni76GXS7lDrYnOWddJe0S3ZywpLhvKr4Rukjiuq4l665OsCl7ZbyyWfMIrcX0GX6oCQbOer8dmHJj+ykGwbeOWLt5rk65vn9b/9txq4ZgE0H7gQL/KwpRmGrsH47we9OX5G2J4fv9fg3fFLsvb4q+OPGnz62viFxwTtyZfHb91q+uF4/OqLz0n5S+Px6582uvXxm2NJf+ezW21+8sH7Uv7hp7f2CAQA)

**Figure: Host signing tool workflow**

- The host tool requires the `efi.bin` and `dtb.bin` paths (absolute path or network path).

    - `efi.bin` with OSTree support contains `vmlinuz-x.y.z` (Qualcomm Linux kernel image) and `bootaa64.efi` (boot loader image).
    - `dtb.bin` contains `qclinux_fit.img`.
- The host tool requires the path of `certificate` and `key` (absolute path or network path) to sign the images.
- The host tool mounts `efi.bin` and `dtb.bin` on the FAT partition, which provides the following directory structure and follows its separate signing process:

    The directory structure of `efi.bin`:

> 
> 
> ![../../_images/1_efi_bin.png](data:image/png;base64,UklGRrgEAABXRUJQVlA4TKsEAAAv20BPEKehoI0kZe79iz16JhsM27ZxpLv733/V/p8ehm3bOFJu/2HvvqaHbSRJTvofYX7+GRGEhgC0tggA8C9zU8Kr8bLtVL/HFnG8nOgRmH9P+jWnDJmA7jOJpr7ZFbACK7ACiwz5ZFACgf1X5qLHdrPEfTuR9Njq+1rm2veZaoaoIWqI6v9vqmnfR49texiiTqQTaapZ5l613yPuGyha2962bfx9GcjeEzYImYEYhL/6t2hx/xcXARKl1ICHzlFE/yEqkmRJiYKGGdixfevY/sDF/WXevuhNXr3d4d2XZ487k2df3tdePGN38uz1Do/74/GZBJfXS226YNgshQdFgm18wDZjQGdEbhNScdK9IQCILLalzTYL87MTZViYqzvgNsYd+vaz3um6oWt4vluP72munvbsfm0znMoIADAb0iugjmRI20Ysyoxtl0iXJ1oIKdlyRKBVJWmLneajCGPi7+SJKZJ0WHWDy4Eat2Yx5Rsyh0IXthOZCjHZUorN9C+WZqiKUelVSSQDOrZtVXr1GACoXfB9tdS3n/VO7/TtXvTsv9uL9VLXlwsNQ8/u19brB0Uif54gNdYIu5+JQMEj7raCZ4BpPFXHQtpnRMsWKSF5MgB5JH0CJkYAoxFALauTxmxYmDRVIqAmAAgjWiU7SuYKIwO8zZEeoSgxGZtjfdKcMrInHVwlZGdSLMqNtlkvzFCIpIOflaROAYacdMdCpD5JsmfMhmliJU9kyDfesD6YxSixeNNVkz0FpwCkOql+24fEGopUGvQ3zUOLCilSnzRrAUVSPaZFNsCxt3Ogh2Oe6ZLUJ60wFgvuKDE5BmkcXfQYjWL0GUkTy5OKxpJnxSGQM5D8jXJz8yCtb3dQfbsXPfvv9mKz1M+rvt2LnsyQeqqhUzpYUiAEUFs0EpIt/2reEWptnipcwamwgf75e7MwV3sFUmKNc862hf76MSzM0wN5xLZvH1oSbH/EZKwmjnCi7QcA2MkqoMnliRahbz/rnaoZlrp62rd70bP//qc6fL+2Xj9ECljYDGxP5Gkng0CHVaeKhW/8opok2LJJTQrlWzgjOQ9ALHwXmCRkyWPknIrSC6qmNivp4Brpv83CXO+BtINgG99Gl8PSXO7hc9xR5qLf9jh+6smdAK6wqowY6dV2gFWgxCn73/JMBgCBlb7NEJws+9HneaSz//6soW/zSA+LUlhkxP0fq4AYGgHU0iigqKaMKJpT26kam6SYfciRMVsK6ikjSZaNMyxNpRjaW8Hwd0SYp+2injISYetslqbiYUkP7xSAEONWPWUk0urtvUVlT5mLtrbav63CPNMl2W4bRT1lJNKJx3xG0lS+RNRTRiJ9+zn2lM6mb/eiZ//dvqyXur7s2//dPSCy8H9y2iUAtlsMQseKhW+fI00pzYDaukPRhOw9AGme40wpxWSNSt2hZE/VZpRf64W5LBxnSikH0k11hyJkSK1wvT7MUaaUimbIusO2IA9bHDiltLC01OFTStU2ReoOW+rwKSWHsO+xnfo2H3Hy5PJ68R1Uix0zZ/8d0ZP+eLLDy++PeuPR9ze1j1+/Pe9Mvn39VLv4/KE7+Xxxp8sFAA==)
> 
> **Figure: efi.bin**

    The directory structure of `efi.bin` with OSTree support:

> 
> 
> ![../../_images/efi-bin-ostree.png](data:image/png;base64,UklGRggNAABXRUJQVlA4TPwMAAAvVwJjEP/BoJEkRf3g3+ox/8/YYNg2kqIc9V/qM//MMGwbSVEe+m/1mP9n2Na2LWObs49ORArQll5lY2TJZgIA/PvdJJHtl8gmiWx/Fses1/f9JJPF4fml0fZBYb9gc7iAwfFKYXfoLmgNgfgDSocH+B0XQA1UQAU0QAVUb396xkhlyWv261e24vs/cY7a0ex3C1Mw72ne07yneU+OrWfpZxfn6HxH3aswBbI4VrZCFli0taeRJKl/jWe9994UTRKFKmYZVLDLvv9rJRIZVW3OKc50RUT/adG2W7eNDlbRZaXSXIAw9WhFzPebTwrtr7/9018Wkv3hNxN+96PPaSHZl3/8leHXP6G1ZF/85W+an321mKAf/lPz0y9XEz/41+k/p6S8/fYoj8uHy+NR8KoXgmExYliOiOuITMMi/DjSJ32o6znSm9cLj0dtAbnLUfse12akGevqOf/pP++Wy7KCTv85/edEhMtR7u5W1XtADw+v0cO4WnFEsQI10ERAg+6IsW5oRKHv5CFE0v1MAFEbW5YOJEK5DRV9nwhYQoTOVPOgyESAYvlsbrZ2c5sIWCJ8h6N2Mc5VWVGuqT++qDb7KitqN1yt+iPPzRTr6jn/eR3r6v2y039O/zmR5eEol8vR9hf3q+o9oMvjq14w3j2CtlBI8EcUdsSB623OhkgMt3DYeyJlGTdIWBYfKsBEsQE7ka+AuAwg0Q60SOZIHtHMi10MGaiOAXDCkiARI/ieKYKpVuebKJcQqDZzpEndu8ZZwz24lpV7sfO/h4N2mawn31ldme01YCPa4OwHhjnSFaaESLmSoe/jRy967h6eTsumXUEcdRwRB67gauZItu4jvAXKXsw8sz3V7c0Twx6J4QYCZV6JHcJf+Dzb5q43V6GIQKU5V2GPNIQldQDrcgvEsjDoh3YjV5GUBHhzJCWMydILUQFaNKyrdU1ffWZdva+xrt4vO/3n9J8TWR6XFfg0ksaHSPgkj8kqkgJUT64C9Qp3tKAWnPSLhklXgdyc75ly9ySgiESlESOuG2dX6R4qRKjv6kOpRAGBQSuDx6NmsF0FQgUghKQQDIuLg8tRu+mq3HBl1hJl6WyuQr1QaDI2uwpKSBSrZyyg3WJHq42cmN0A8NWtq78/Ov3nWbmsq/fLTv85/edEhMtR7u7W1f931iteeMR3uZo8A35J4cCLynnEtcETu19I7W1QhiarUGpDjxGALA2e2P1CmqcruXlXxSqUPsSuD/fE7hciNOhMFHarcIjhtgTAUbsontj9QqPEEFmF6wCip7kndr846FYJT+x+ccVsJhGrcJXwxO4XVwL41m5Lgff3749O+6HTf07/OcHlYV29B/QaPi1/7wmzKKk+kgfQCBWZMlAdeQHyosE2qSiVQmflIETcg2uZpLqAtDB4OGoDu+h7adF+AJNaJp67ElXKemHepMLlcegJ0P0sMEzWzIdp+x3f9pljLSqsmz9im1Q0IXUhVzS5BWKhVh0Jr53dgj5SQlNQAVpUoqpfV8/5z+d4WFfvl53+c/rPCS6H5dzfr6r3yx4ePsEkIr6HJLwP2nxFfj/wiEdhPAuCxjgg5RnI8r4D1ikw4cWO9NEkY1ibVF8HdrJLwzlRa8E1pS0fJyJrwUzkcxXSuvej6GDCKLQ+UrF3p6suEe1aEQM9qVB6muRAR+8tRUl0MjRNiG2Std0GaNApMUeymZvEtiGSJY7UKylmVBLtOhGUKvgmR0fRq1x5KEtm3GwUSavw07ENdEuUDv4AVcjI/Vi6xlacymhyPVPoam1wqmKnoeM05CFYVQA0TYaSo0h1rrZxvDQrCa/HMpI0pTjDeTAxvM0B3ZgiuAdXK+XmfcuWITFhM1GbACdAgzkmtpEcyxC/YdP5kmyCpAxPG/bncY3Voupdi0zdmXEzURA3m3/fdzsMM1HT4G/TmExIHzZSO1o0045CGiOQAw9iBZJNuZnnuKusRQQ1VvtQ3c3ITZQyRjiuAnWw13ZlZBhsBIahu5SJth06AR0tKHUJ9gsiwBBQy5VSlGTGOFJUAXebA/OFslGLqALsrBOTR3xRfWU7m6hNgFcqwKb67JFMmwYTGwNgo28bquuupJgvuhQaYduvfajAyFBDr6JnbK/bPthRVCEXUTQ2wd6QQHr092qyc0uUDZ5QVVDS2kg2rmZC+sBpgaTRhkSsBrs0T32nDd58FVmfz9quJoxdqwi6cJxOsK9ZHQmbVTpms9xd7p4EqgBbNpXm5+RGRltCoKrnv9KUxCKmzMwAcgsGjzQk7N3p71a2OYhQX0sT9Zi6qijSSMVGfHVtzC5RRz0LUOU93MK0aTCxDWf16fmxaAfAzI3cXUAFRlkWNZatkm8ypmpXxbR9MKNIZcyBPEgwv2+TKAT65DybLIrcFGWCv+J8KyQ9kPRR8zakDxxdWaUSUd0jah/jXClXNUBwZg3wDX56hnZND6CS64HuBnubKB1V57Lvu/l+76TI88moC8VeyWjTYapIAvQx/RXWxSlqtL3+1pFgo11d4QQwMXabgy2rk6CJmqq6yCvXDxWuVD2RbQDyJGobYKOR4FuYNg0mtoHVpxGFK+pyhLTOCKFgSgmslGdREYXdtH2wo+gm18o1kx63WRSZKfSsgcnOTVE2eCSlTbKaZq7YkN57/vPfx4P21uIRJSsNEcCViDDGDGAMGyhhQ8bAVTPozdvZ9orricgo1RcgKtUJqgqMi0iW2NBqsdpcUWcOgYktIU7KRyGZBlQAQdAX737EWTvPc+CQxNaHJzHX5Z0kK8b8EXuyUc8DbPkWpk2DiW1Gyxo9ddqKVGV8xaspTV3/s1KRdclN4rCjWEWdYLRWO2636lvTdHZuizLBm4HzA490xYb03rN/dzlo3xxzqaoSKiPFk6lfVTjRhjjczV97UOkcImdKbznoO6/IN4uGqLF1e/PKFSKajB/DWSJmN7qpa+V60vUINgeJFSbqxnZep1zIODO7mKhNgMddIGMeYe7MJZUi7AozOwZsAwc+5sJ0FGdzoBQygzyJwmU/MJtVdg6IMpuPOBvSR2azqsEd1QxjJl+jKQBGoIxoq4H1zCTVKec6z5SO/LPa7KpOx/gjSBOnw5LmyGgrzY0jpaGtelOGXt00xolOJBVwZ+IezCDHWmwOtEZ4E7XUEZUbcapy3EbWRuChs41aB3h0s2nTYGK7MtGnbwGjwqtrhOQb274PoXNQYnhsDnozidg49MC5ntXMoEPX4zaJgprYm3zfWUk7IMoEf2SzDekjsFuY77aB1eWSstjU7dSm8ymAICUo86anj+plENSzrYnSyW4CTNAnZ6YJQPFktOmzJLzR1vSJX0XBdAOGqpysY4gYP7c50A+vbNRe9K2toEbSD9xUoQPFRm0D5H5wN3WHp2PTGH3m4duVyWPEbE6uvtq8154p1OluJg47itE0gVCFp8btyENJr45kh+GWKBs8RO9W1W7U2Ib0gXPs7H/F0UvQPkYUoSWFRwvr6t9RvE7E5Sh3d+vq/bLTf07/eY2Rxfbv6r95u6reA7o8vo4GA36pwHCGgI1aPo4D39ARBGKld70cnmmEYbpOKPq+CNyT8Ig3ZHRxpNntqsKmEYbpOvHidwkUIWqdTiQAjVCRVfMGs5Amd/QQ7frXPSqyHCl02whDZLI2cOOpdtXoQvCyhjZsHlG5afOGUeW9B6pVlW3AZpY7pj5Zp5VRAZ5Ud82ku04Y5tpzD/TCJhIhTWATHCsJkom4Gcok8updFQ3r9bcnjTB01wnNXLtudPGiBEft4SmkBhyBUkVPHkA0S+NPF/g3Js10nTgE0gsToud3DnzIze9b+z4BTjFphGG7ThxzL3ekKFTzhiMkxCte33wGV2XaoWLaCMN0nTiA3vxCJ43d2DZvuO0mHUrJ9nMonSg2mK+AboRhu04wwi1MM4xVta4pLym4Ot9kQaE/uHW1vvenMayr98tO/zn950SWh6Pc3x/k7bfran3vV8ZovK54YnsKlwFDqmDNDrSolwzcl42rNZBmm9Qu90B7d04tcbqtAVxnolJ1qwsGqhs0JqkNPdoVSQUARM2N3R0pfFYrLwe1QGrnReByHT+KYNpQne+7pUeq1aBqFmFQWkePg4AKCFmTRq5l2hBf0Pz/8aDdDza46yezFDORZIuM484I5hJOejSLd0cIhc6aBsQRBJDp5cw3l6N2p1R1zoWeAdeKKloeQgKiwhOVyW8M7ztT7GkVrOe2S0/PQWmOlJVqCdgsnIg8kuphIbIKCOjuKeTmfG20YXbzmWwTi1qd+cA9DBeRxhl5Gaw/2TI9BV+BKw0Amj7PTppYeN0csRfV9aKl8V8Byrpa1/TUirv7Z35f43JZFbwPdvrP6T8fGX7+9Wrix//Q/OPfn60lvvrzXzVvfvnvrz9fR3zxg7/85o213/zsz39ZRvb7X/z9zSeF9gY=)
> 
> **Figure: efi.bin with OSTree support**

    The directory structure of `dtb.bin`:

> 
> 
> ![../../_images/1_multi_dtb_vfat.png](data:image/png;base64,UklGRmoDAABXRUJQVlA4TF4DAAAvaYEwEGehoI0kZfIC3r+7l8DMYIJRJEmKavl3/t2dhGWGUNBGkjJ5Ae/f3Us4eGYDkWRs/3QiaPAooAsA4Nta6tjW+8a+1n3me9b91nvGvub9xj7W+4ADAgwwwAADNFD/hBsRMpBfpP7E52ycwwQVa9XWor0oYyhj0F5oL0xQfW+hFNoLExQo2rbVRnL63HG2J2eMChlKiAb+/weFKrvFxIro/wQ8fHf907t+/emY98879ouPR7x8/s/vnfqP58/fHPH8+TP16t+evz5K3fqXu//u/rv77+6/+4B2u34G33forj+Y2u36Gfx4aL/vZ931B1OPj/0Mvpf2+NjPuusPpvb7fgbfd+iud//d/ffN0n7fz+An6QLchjFD6SQZf10BIEsZf5KM7wgG0lVZSEaSgXQKA6kjKBOuysOgZSYsEvEgZUJPuPYAOvyo/+cvYEMEogmkVqhQgz0IgqRIlC9QfCORWoWgoZIaAfwRibYkCPK0/QEQJEWiQoXsJROB2a2EAtmr4p9+jnZqDYVmHU6REs3pBPLgJZnKrGtJmWZwtMdGohnZAKZSveQyDVsoozQWij0BBGnIYE6gRLFSpJpjpABqLiQlog5eo4ySK1CLk8ZKWUwwW9nIFphgkCRbGoFqJMlAOMUoSQbCKQwEOQi6HiNJDqqRJA+DZGHWctoClVnN2KhMas7MJ8hq1tMoUE0m63qSmpVZSwOjFGBomA1gwB9kYGw1j0qtwnQSFQoM11cIa16aqHp6PF76fysO3EEOhouIp3HApFuTSE+Qi9+fwVyPMpgNtLv8f88wXM8IxJszP0Gu2MJ4kIHxamwhw3hrJsp2UCUepMrUiszniuQjJqqdKfbGjDBshwmGhS2NQDULWwnnCmAXIw0HQQami5gvyFbmxrQFbKWOkss0bKGM0lgo9lwDJCsFWoUiKcBwvplqFjPTBShAtLKRLSBHOzc0VJpl0Lk00Sx1EcBJUiGfzwF4GaiXoEQzbQINEYgmtmRDhRK0PJN8gRqUCXIwazlCOJt8XSgxXYRCgewNuA2wunYLA4dG3coRht5lfWumqEfc1szsJDOD716u0p7UvaSQgei0Jbb13X93l/3arf486vXz53916r+fP397xMeXz/v1q89HPDx86NcP310H)
> 
> **Figure: dtb.bin**
- After signing the images, the host tool copies the .auth files to the `/loader/keys/authkeys` directory for both `efi.bin` and `dtb.bin`.
- The host tool configures the wait time in the `systemd-boot` loader configuration. This wait time stops the kernel loading and allows you to review and select the `systemd-boot` menu options. The `loader.conf` file must be available in an updated `efi.bin` file.

> 
> 
> Note
> 
> 
> The signing process isn’t followed for the `dtb.bin` file.

    - The host tool configures `/loader/loader.conf`.
    - The syntax for `loader.conf` is `timeout x`, where x = timeout in seconds.
- After the image is signed, the host tool unmounts the `efi.bin/dtb.bin` from the FAT partition. Store the signed `efi.bin` and `dtb.bin` on the host computer on the similar path as the host tool in the `signed_binaries` directory.
- The following is the directory structure for signed `efi.bin` and `dtb.bin`:

![../../_images/signed_efi-bin_and_dtb-bin.png](data:image/png;base64,UklGRjAeAABXRUJQVlA4TCMeAAAvxwOoECfDoG0kR7l//pweU/9tMzTcBmDbNnDb/P89vqklLCDgsG0bSfLM9t/TNrMN7N6bOJaj2rbVZo/CnDFz4qL+RVRCK4ACCNDfRnXTAKB6SLBhQYId2461LPkHW+tcbNGEBIk3SDWjH9AT62OTsNANAVSDvMB+7Pu+F9YONK9FAcs6gdp1/LJt3bJKfoeZ0RWjUTWkiChVJiHLrMg0AEOwZDZDACJaRIloOi8zI6v88SNFVvn+X1JUt/f3IUXT3t+HDRtNa1rTmmZjZvzxU91sSHHeNymO6zQzmvb9v5rWtOt5zIw/fpomxcyI/OMgaNs2K3/ae5MdQUQwcNu2kd19y9H9Ih8828kUPxEeUb6doYbAqWY9LJtKIZJEGgcl/hxIssUsrIG13CreEVXSV/XvMJAMW8UQOEyx/dwpjpIs76Trot/5x/Ht2nZlt7ZtoVS9ckJfwemvqJohUKABagIUQKEC9KBDE9T//0SwVraQx5hudGsDwxH9l0XbVtBGm1XWwqn2JRhM0nZ6vyVa2562TX+5MGZm9Jg55DUZJirDfKKCB/d/EXVs/1a8+IvV5o/ovyS2kRxJYtzWels9vieu5jvljCMnu3nprpPNpZuZbl84Mudkc+TC7ayXL8x4jjYzF26mu3TEc7Y5cind3Tl3a+6u+M8FOP+pAUk+Xc90vdaAM7XrWU69A2V6Xs5acr7xWEGSh/VHGR7Vryg4cyVramfrT6cVIjn0qj5rxztQnpQ60TiasXGfUIDmRH021ZNXCpW8emlHY1qhkhdP0i/0fFCQ5sP5VK8fA3M0a4mCxeOX6d5g6k2692cULGmA58x78Z/4T/xnR9jm0mhoh0xRBLB2CBKjuQgN2jAFAcC0EVh0KU5jjNYZq6JhtGRmyad0i9RRcbioI60MP5+lRRXSKR7tP7YgIuqQ2pxodTZ7PUu8siKQK9EGlEYUgHxoGejEkuGvPs1MG45hgzs9EZLD0gp3akNjk0pJXEelXKhjJ0ZzEojhGW0BOsNMCIev3OnxkbTwjzu1xw3ZiBx28wiIWQ0YjkiYcU/djE5EYBcBgFIwAGCBDN5gvUBGKwvrUrcVP+/EPCTuoj9HdmlzLM5lqM0BzSOQz+1WZXF38xlI8LSZ3QoQj+5+/HPdf/1ngwGJ7wMsPA4ehQfk+3bFf+I/8d9f/+1DZfgtTSD1ghnMWN7SfR+8nk5tQOrpJNjYbUidyK1J+wMxAERH1LKObkNcVCEFqoVVAAClHzaVH2hSQIdu/gaoEFXZyCMRJfHUweRzHjWVsBAdOlGAoyCNmmw0K4A6/Dp299eyU6GfPJgoJ4pA9guFUqJQRhWy6UWjYl8RDc2jqzPdTQpYS8fWumRCP8VMDp3Fu5yWqmPKYYjJoauFhFdEKG6HV6trmxSwlpaWjpEJ/dThjhGDF2tzsWtFKF4rYTkAQKeuePRJAWuJ1mIAwE44RvUeUa4LYYO4+YfpXE6L0HHzv7braOvXETfBoK34w4RUi0m6KiDlldrMWKPNBF7dzWqHdhP6iXbAUSieYlkoPqc12o3Rlnc39VmaDv1EJJHIJRyDldqc/YnvW68HAOAz37deMBYj+y3u58iWFIu7Dyvo9+Pfs/pLL3fctyv+E//99d9f/00CEnBFPpMxZc0Y67OGjYJs6QF4PZ1BAFJPpzbYKMiWToIMxj9fQrkqwP90TdCXSkMzR1pP56MAsNipDnM7GjHctVPCCTUhmZnrczkRybZIPPqK28Q8TMolHWpwfXlJzjwILik8Bjc5GWAVZ2QsED4DyQWVaWsDSiNzJG8neMvFCEB2DIA7romsU51EIFczHR5AoZqBSPZIIdnrfjRU7kMCACq8KuxJzIWooQMIDRlISipVn8slEm3iWgEYKZ0YdVdHapSz8yWprqNSLuZIk3Wmohos1ZWguivD+RJpk0pJnJkO1ZVIO7o9kph1hktVbO7D8W8Lw5zEhtddoh37IRZvzmWGoxxINurYKmc6sJsoZZlfwjETUd5UvK8dzg4Y5kgHVrNZNlL0i0+W37Ov3HmY5oBSd6rDbqZjMgDbIyGrhJYeu1ds7sNlkG9LhzUZoDdkqfZcVpO5k2R/rQcmGJoSUlCpVhs8jSkdXAQAcyS7znAhC6r9lkVBbh16TQCb6VB6AcDmSHadSYEmAGB5qJP4LKBOzuUUWYhqBLbyU4zkHbbiiWGOZC9zUK1MEjbSqGM5eQc3PgNsjkSyDW2SpdvmPlwG/Pes3ecPPZfJucyiFu5R3E5JK8ibc6KGSrE4l2GP5CXoV0mTLpRKnEa0Ibw5RarqBQ2bI43CdPJh25nch4sjsREPfI8u3VfUTNO8bPZcdsBOHkwVf3Aip3Yjl9FVCfDmSKTftTTqKCECpZWQLufTiDrKKCFLMEfShXmLUdXERFodyY04ntw9HerM0A425zJFIaIuV3EwcjJqjUH7g8bJD/A4XhXtPiwg0J24I/oPEqw31JW3orTMIdzv5477dsV/4j/x31//TdShudohGKIIYO2QPePWDy8VTd+uGj/6drWZJKfjnMJ/JAoT+EvA92AlXF/dzoDNzw4YHMMslYQAPCpBFiafVDAYWqLOGMCeDJP4c2TPEpVcCR1AMUVdXWvNxBo7VCFcvI4Tcp2ZlDAeTBu8x0YNTCm7iq6oOx4M5mSw8W6IyJwlhu6y97JdYYm/t0E7ak5XurOpnY7W0FRyqcIq2lSMiprjAXMy2LhVpjW0C5gohatidUUzE2ZI/L0tiiL+WtngTkOUYFO0MYBDoaFhtAS2n0uaGfW4mDAhDhnA1bP4zzBzPKeGQNfKV+40+FnDjnahq2NqweYbbs516iw55zoO8g4Fnq76ZkalgOaxqQRtJTtKDDal8r25X9g8OUuY+JDiAgjFeR0YN+Urv1sCEjp10bupd13HBvpkmLwlHGVyljCQx8mCcn1RnDT6gVKqbOTBN76fB1UKyP26//rPVXOu6+jzfYCFxy3PuHHHfbviP/Gf+E/8t79TVdsLFh4v755O66uaQ6Onk2xZ67+fDlLfbhBM8sY4WQz8tZXSH52Gtg5km3JgqthvfNCJKiIlzELgxNLOKGFYlM7r+bj9qRImeSWGIJUWhEkZM/iSncmDyIJSG4Dk0a6uhkAtA12lvMiJIpD9yvMl0hzDfGxAaSbpkscoAhlI158riUhr6BSL6q6wCiYngRg+ZnLoLN7ltPC4JJpjNFI6KuVi6S7Rjv3qy9lZMRNV1OusSDBpsYQ73DFi8NoPgKwAQCAG5gsEw5oM0H+7CrGevAtQLPtmxhXDzf/qezwOo7ETjqOKglwX1w/iZsgN27RDj+IVFwFcL5aXKfffFzQJVoyq3ivdqVBuQqrFJF2Xk9eR/ahoXvtMIZez/pfir1pnPzaFG4N27EZHp5b9ld5Mm3iPQD432gFHoXiKZemNM2GKTKbcWJzLUF8jHVK89nwGNNqkHcQ8oWW61ihn34r6SmoOXMIxWHuUi08YravvW+/gKOoBo44H5ENHuYZw2x9UJj98s7yKtT/oLQKLuw8r6HQn7oj+gsZ63yFIfbvGHfdmi//Ef3/999d/B8IZY/1RwiIm8osy42j0dBKt3f/TqQ08Cj3jogaPdkrHWgKbI/0pYNxklLDWMFoklWfClexPPcz6nVQnqhIGl7OjK0tntnA6Uocnl4EMk46PUpayWroArMLoEDqAQshjQgdG1/PZUcmB1YwvJwplSEV9mEeTCbjUAQRGBvgqydn5klQGIAkUxFOCTceXil+tzoNpgzd0l72X7cBodj5lo11l76vCq6mW0UXzeDGPJhNUS3fqzHBXiAqHu8OZ5DuyjYFNx5cSrYqVrwEzo6aGZkwGKYzDdrLzGTKFbDLQXiv/4YxPNjtKgHiatJQuIWrwvze2V4JnNHh1ytcMIBH6YNPxrRgGcBZUATB1jeO6ACS3XH5/zqObBUNayZp6NJ1zxbqcLnTRRtNarcGOdr4LG7ydT5KoT2FftpVhOXOBqmxKTqe7a7U5J5JItaSx2WXYdHwLhlEpoHnzblqKM0w52/mkDZmoJHIlLCqTIdc8mmwARAJbV2y3Jii56DcWYdPxLRhKQFJXG+RDR5nyksx8UlWfp2Z8VdGGJtE+mnwGhoBg3Ih+HnRwK/R962KnMhIT3YV5lEp34o7oP+aKIvZGz3+UsIhph7Zn3B337Yr/xH/iv7/+q4wZ44oFAZRwepyr6PX7IaYdwsR6Yyx6fbuI0eYgkg5ifAnjHqzD35o0tH9rZCOR6eBY81RZ6EQpBABdp8paACF9mc8INzs6EtnQiVFnqbKM0dlUWUsg5q/ZxI3KOrxOlbCvi1SqT0CgEtVsMSBtheiAmX8MsulBGTVMrvUpzZnUHCvQ/aLChtXpYvGUsqvoDEc5jJU2iFsfJsgFfaaESaqsVeDyJNdOaYcxSrlAmpqoBp8KuZLMogughaReApmYPEhAZoFUdRsSrqbFf4aZ/xqyVP0kKUaP/RhVxMX7u8tnu5yua7e0opkJhyCVEqjj2CLOOLbkbHnhTdy0C0l1E+RFKuWsbsMVtcqfzQGoaj8gUYosRD1D+uLRkcgmm6epskqkJoEa6pWzkOcUi+a571zwRqJji0Us2OkrmEzMNnMb1mDQc6Gqz3FiSUEXALd4XAIGUW+FV7BJlaWOVAK5jH7FB+iKOcVPIhT6RdDXQfOyUcmOEpMDdupoB79CMNsf9Bd20pera7TrWNLZE8VjTBvG4Fbl4mYWd0HHKMl7MIu/pKGeYTYvyM+DxkmE0oV2/Xe7gNTroJpVEtALzEugeoHJdLkgKtpNDNGveg5eAOCXPBJ4PQQEuqX5F2mcnS9pRX7P6uZKD9x9y/+VfwdivaEODL5vvR0RMeFxd9x/L/4T/4n/xH8TjOjhPHpY4NYXAw1tYFKUQ4B0I6VbG9Y3i7FAdLCYWBpjNFaxGyriGR3+xqbDr5cgVX8VoqFKoPMWKEdfpYdRacqXSErNQKR5MMZUCqQtUY6+9ImFWyHTIJYmN8I0iOXgS3ZnovctBkajKS6JtBJpR58G+DKZta55Z+kHiwE2zIJYmvwX8yCWDFcSnYvetxQA7OYLoByAPL+FbEwGXJYpRx/pS1UHUQAS2hLY0Mz836SylC5Rk8vI2Z2M3ndtETf/o/Uoftrlhk3rBbiCVogbU4B19JlL1aGjEy+Cr4aZ/6ZJEMuzUNy56H3XzBDChVzOU5069sGBr3tXgHX0qUuVrjur9E/rM8jpC12TcDJ632IgL9scbSqJVj108DQYo7FKOfrMpUrXvUBmQSzV18iFGuoM7djPRe9bDbSD1WYEhXIZWxjIEubBGBel2/zDZC9VC9XZIJY+AweX0Wdok3Ymet9tLEefvVTZzSvkV0bvu7Hl6DOXqsOoIC+kinbTy9FX11FAoJuN4aeVSkncQv6e1c2OGhwbbouW7ves/s2JsbyqOd93x3274j/xn/hP/LePQth2xYwuPcYUZfVy4AC7p7Nwru7fT59AqTCBv6Kh3YF59JUCvnOa5ANqOpsDg88I5danA1kOKgXB5M/t2aRGHUBoo6h07RUiCvBDR6cbJI+NGgZnkuF1VMqTRBm6S7RjXwAe/TBmSekCsEnPokI/eb0I37D80sy0E6sB0oM+apg8XGBNBuir0O32w4Npgzd0l72X7XbluOEmTBwwJjr8wUUA15kOmPnHbPOYAmC6QDQ0YzJI4TbEcrjDVvyV7kyQT7ELRmDsdsqAGyKPjfqFzbE4l2GTGhH4GrF9NHuJpyB+2NFuih110bvpFLoSVbCvBK+TGnkKCMvBZMhlVApoXkVw68RyC1OU/UEXgpc0tiQgqchoyCrOOfzdUGH2B/3rv4MQoogr4Ip8FDx/DIsrtYq1N/vRB1RMf3hWsfI+vblyBpE8/PDeq1rNPnuHSR551SiIIv4T/4n/JuJ7xYvxjpepT+Cb9oSn3zbrDXV215PnR6Xd76fHOO94/39uRPV0Gl3efbtjjW/Azy92d1+TzfdOjy/Ay+ETAN4Pr6/A08wT8PZjrDCvY4X5fAO1HKXvGG1KtWdLNflm6LaLqC3aKg2dLs9a0w6fEZbNj3Fd/yHTwdvjw3fIo/WpSjNGeZs0jxJ0oopIUE39GX9Xsj8XqA8Gm7h16z6BxxObfwA/ppu/47v1U72nDpQqweYOGVzOjpZGSLRunoCHy1QJUy94XTW+RJpLxdHXgjGWBwakmzh8k1yQPgGBGrKah1YAthU2JCBRAtBukh2XRHOxeKIvBmMsC7vKBtNMHD6bCzJlV9Eb2Ebl62imQnOvq24NN3/ONy9v9tPeDIuNgJloEJDNFwA6JUBmn3Q2iNsIxV4HpBYzEWUViq+hmRxydayOMZoXLizj85qp0NzrhxXc7eFB5rsNHGukfRoq/CCn3LBNO2klay4CGO3464BUdDCnlEwcPi40NIyWrDLmwla4hh5egO8vw4co84mbppcpHtYHb7dGhVK5P6Rjn2+usilb8b/RznIudDvaha6Osr7crfbvWQGFNvFTtGM/GYyxbJhX2yYOn80FWbKjxAe7uU0230JRLh6qefXcdUM7GYxx9LLzaTYOXxe9m4puPUS5uNtNTbnc73mk/b3/+m9/oKI84tqy5vvuuG9X/Cf+E/+J/yZ70kX5/9NLTxRVoH27IAmCya0Yd1AYLU5yuJ3R4e+hEscbEmwOt6unw9+0USiTHG5E5BKQvYoowiUA6IwM8B1ULUHncNNCcV6CYTqmDe63zMQP0UdqejGUDN8yMKoRlHpT3ux0DrdZS+kSlfnp98yE/KnYKYjTd2IjJ4EYvqFTLLdTxI1ODrMcblrNAH6vNjQzUcyE7tJvHU7uRBXTS3gUVVFvkSwnYZ7DTcnpt9t9Ncz4eyZx+XqG9KnROKkjtZsz2sQPEqmWpL5GLtRQf+uDeXxNhpsQXVRUn3J7RrlUMDVByUVFUTu4jH4NNnc0/UK8Kh6BfG4dnVr2t1PF2R/0977bNo5kF0OdkC/qr8Q31A6e/br/+m9fKWO9p3P/1zr6xH/iP/Gf+G+yJ9pj93C0Gv9PJ4mEPNopIf0iDPhrLaV/RYX/FWpjwN9gODDRWvBQrdM0z1i1f4qdugBMHar58xK8DUJGHNAO2yj/tC7AdqgJaXImOClENauKfAaSUzcludl9AADhT9tXa16QrouzxWXnciGWSkFnhdrR7Lye1nFI2VFOxFnpaJTKWU3FvOnkJbnZmRBwKElVlbKrslEo3pdg7wPi8kfatQJs+sIRiWqB5EMAsiNkdbnwqiZbIdR1qgFI11NDBqK9rA4NoUSiTRyRmSXzELfXcTBRB6WoprdtRAQ2k20qtRPagSwHL/GwNZNoxg8xqpBRpjZ7evgEBF1dYbMgmTNhl1R0LKkY1S2NiYTHTbH3gVnA9K3+c+QlUANTiSpcS8nkSyKW6kogs0KURFXYVojsvWyqu6aCuqzm7HxJhwpWab5yICIzS0OHs8ECR4uJdF1OHQl+CNlWaicUm5pQirHr0nwOcx7dY5ucHub6rl85VDSSDGSv63SFgxEKxey8sNLh7X2QACRnbvUfI5Utbcu6cK7YiUIi2YhY9IVLn4ydTYWqmBSuLf1IVrOyw6UiYUzafowOZpaGHObP+Fm8mjdVXYB52YxuK51PaGHq4hUPiLN4DLCb2manh4kf5cpGhOxdTuYJRqYDSaImmRyAQhSPQYaz90FgqhL0rf6jQtz8QyvjRAf1AoAbvALVlEl2J1Ph9cJfP+BESA1e1ZD08+AUWagArGfJzlDNAIauZmZ2rW3odvqg2mxCByfdXqwpFYsikFBNbZPTA/q2jWXj0IkY+tUZvNIKSo40VpUc9OsQmd8HtBVzq/+gKGVlcOB5p0+zlel29ZCVFFRZkwdlipNggRc/2vi8Eoic8KTSSx1Dtb6NYuA11bqQqW1yelQish8k20SavhFf2DyTUDWGaO8DF/xguj9G6tW2cD10MJVsUvFV4mRQSeQLmwqNK745j80qRKCDjgRpZkktM5NggaaIMWG68q47FjepVE+o2tz1FHe927wbpTLp2qanh6PE9g37TepkQKQ6Ip+KcxLsGhNQ7X2gv0jQt/rPkX33m4EsgWrWu0WgtKGCL+12rWUgzHejnD1FUXWZWdL7kw0WWHQYzqCfetvsbl54VulkN0GWCZ+BXCcYhcnWZk4PXZvvUE3diuwvAaInavqdN0rIjcjeB1XdffpWqxNL4h8SAPcHPf0SNm5X5OdBb/sq2n1YQKBbG2DvZ/W3MkqB2tMp/hP/if8EBo9fu2IvnlWsPj1ExYn60YrV9foZUN5fe+5VrLxH9Y9vAUmt/sQbHmO4Aq7Ir3RkHTgQyal43v6Xnk5tqh34RAzgM8J9k2xWzNThz9vE0RwLmlYT0mCC9pmwCbo4uPtc9zUhXVxOTGhGnYBPMUH7nATq2O9uXWFKuUAahRQAdJYMv6nMIaMEsMq7lwA0n2Eu+R7tzMJigva1UZPNKDKvXQXpW2u6LMeWnCkk1TEadVTKRZWwIdCOXS0TMdvUXIwM8GAT8JnG8K6MSps2r92rqEJOxz/DzEQi4jJjVwJimBwU6Fppk2WCdaivSQI+oknQvl1FwFUu1K6D9Lkcbc3NV7gI4AwXgKQ+jwup5+yzBHw02cELU5N+SqH7Ccv5iq34U91ovmzmDXBLNmUWtK+PIlI62d3NNFQlFufyGSWRCaPrJYzBLAHfNGjfOFIVPkNvdmNcRh/UG+LwF9nwemqtKNAJBW0Cvihkg/axqGh9Ei/SYfsciVEYJ8xJJ6YtFzx0Af4oV/yKqnA8+E70d5t6iZ8C+NSOUu6serTnC9GDTKOUu6oHRC3PK5khirh05W174MdI8/vYXMC+3Wrado9oeddrUZz4K6V4eYd8PIxS1GryBjzdM/VpILscpqBhVsUdU4++eN48LQ++kjU8PL7j1Xp5+CZ4vl86SYmwfI4yxPqp1pr7pQd5fQL3UieTV5o538FbpvW+1+89SDdPf9PefMn9c7fv6Tapl/Zpd1Ne/zvRZsvLGlqxJ4F8PKy7qut+Vn/9J/478COK3PF6nyay67gf+2pstp7BmguAVjMQDxHI9V7a7djItGzXCieBvDCxVJfznQ4LUcWuIrhxBvphjBoSkGwSiYbR2lB49leUHWk+eKIUdTAK3Ol47OOfUvGU0WmDm6Adu00UQuRKpEPFJEtfLAJpZFqTPjrK6V43yNsxshFjqMFbbRx3JhanlgkkGwIoSaNgPqHrRSUD8PcsxI3C4lF/BUalDkAVEpMSiOokZogvQcX9SuU+ZBhxiIV+gWrfG6/YrZgtHxxRKFSYRsF3OhTBX+HBxIccZ2+OOzPY0c3ASVBdyo6CuHudDv8VxEBGH8cxEX98tuHaiHWoZFSVxi068klVcgcyKm5q+uu/yXDC40y+z2VcoSJE/Cf+E/+J/yZeO1WfRtR0/VT1xnv3AlEv3nkVnNlPtadwpvZptorjedefwZnrnoegajDiP/Gf+O9gum/fgc+feDVVAJ/aUUo+LWoZL3i9D3rF4QX4dtEoJZd1Wj/t4w14f9IljBv1/O3hG2x7uV/5hnFB/6d173g64Qmqvc5KkG/3Mj9VGVO/rJ30E/g+9h0VCd4eH37IKESVcp8abPcIbx/mUj0e3BMv75AP9XhXq8kb8KTJUcAjZJT0/vCKV311/3Z4wlGF9l0/z38Z9QHPY6enpwm12jwf9R/VQmw9eH683+jTQD7OMAUNsyrM0vD88AF8jALmzBN4u8g8D5/Aj/GS//nHeJ5/AYCnx3dV6/O4MaO93W/04kvIz3jTgwteHh7f8Wq9PHzTS8Io7u0o9SjiDR/DZPD+bdTzqABP5tA/H769AZCni0TdzrfHsRY9/oT8GLfs417jJCVyyucoQ6yfaq2xxT6KyNv4Ahe8qvXi22XjsGPHt8c59Xz/Dbr9fIZuT/caD/L6BE55eMMnXr5jfJlzTgxUewZeTni3Xu49TiYPsb+2e3jGOz4+8Y7nky5/yqeu5TveTnXf7U2RO89uy7Tef/jx+m3uGZ+zzed8AHh8BPAx8TJ1+UA/VAnf3vF6wvOo/fH7x7gpz0dNz3ef3b7PCV5nu53zqBaEN+DR+D4ONHH+50/wcYLZ7f3R7IYf95vvW/e/D1yFfal7Gp4E8vFwyvjco9LxL8aPtzMePl4nb45/fAfw/efDCQ+Pz/bb1U8CfP9xP/49q7/+E/+J/ypmFw+7W4cvprt11t06eyvdtcunZ9ysmdOXr01l/Ltz9d45F5urd+KnrBduONlcm3LGkZNNAQA=)

    **Figure: Directory structures of efi.bin and dtb.bin files**

### `efi.bin` signing process

- The host tool uses the `sbsign` utility to sign the `uki.efi` or vmlinuz.x.y.z and `bootaa64.efi` images separately.
- `sbsign` requires `certificate` and `key` for the signing process. Verify the following syntax where `dsk1.key` is key, `dsk1.crt` is certificate, and the output filename is the same as the input file:

sbsign --key <key file> --cert <cert file> <efi file> <output file name>
        Copy to clipboard

- Examples:
    - - sbsign –key dsk1.key –cert dsk1.crt bootaa64.efi bootaa64.efi
            Copy to clipboard
    - sbsign --key dsk1.key --cert dsk1.crt uki.efi uki.efi
            Copy to clipboard
    - sbsign --key dsk1.key --cert dsk1.crt vmlinuz.x.y.z vmlinuz.x.y.z
            Copy to clipboard

### `dtb.bin` signing process

- The host tool requires the path of the `dtb.bin` file.
- The host tool requires the path of `key` and `certificate` (absolute path or network path) to sign the images.
- UEFI secure boot requires PE format files for verification. Non-PE files, such as `dtb`, can’t be signed using `sbsign` as this signing tool requires PE format files as input.
- The host tool uses the `openssl` utility to sign the `dtb` file. Verify the following syntax, where `dsk1.key` is key and `dsk1.crt` is certificate:

> 
> 
> openssl cms -sign -inkey <.key file> -signer <.crt file> -binary -in <img file> --out <output .sig file> -outform DER
>         Copy to clipboard

- Example:
    - openssl cms -sign -inkey dsk1.key -signer dsk1.crt -binary -in <foo.img file> --out <foo.sig file > -outform DER
        Copy to clipboard

    This command adds the signature for the DTB file in a separate
file (`foo.sig`) and doesn’t modify the original file
(`foo.img`). Hence, the host tool must keep both the files
where the `*.sig` file is used during the UEFI secure boot
verification.

## Multi-DTB support

Qualcomm supports multiple Qualcomm development kits based on the same hardware SoC. For
example, the QCS6490 development kit variants include the RB3 Gen 2 Core development kit and the RB3
Gen 2 Vision development kit.

Each Qualcomm development kit variant has its own DTB in the kernel.
During bootup, UEFI selects the appropriate DTB based on the specific
Qualcomm development kit variant. To facilitate this, use multi-DTB flattened image tree (FIT) image as follows:

### Generate a multi-DTB FIT image

Qualcomm Linux supports generating a FIT‑based multi‑DTB image for platforms where multiple DTBs are required for a single hardware SoC.
This allows UEFI to select the appropriate DTB at boot time based on the detected hardware variant.

For platforms that support FIT images, multiple DTBs are listed using the `KERNEL_DEVICETREE` variable in the machine configuration file.
For example, the following snippet from `meta-qcom/conf/machine/rb3gen2-core-kit.conf` defines two DTBs for the RB3 Gen 2 Core development kit:

KERNEL_DEVICETREE ?= " \
                          qcom/qcs6490-rb3gen2.dtb \
                          qcom/qcs6490-rb3gen2-industrial-mezzanine.dtbo \
                          qcom/qcs6490-rb3gen2-vision-mezzanine.dtbo \
                          "
    Copy to clipboard

These DTBs are combined into a single FIT image during the build process.

> 
> 
> 1. Add DTB compatible strings:
> 
> 
>     Each DTB included in a FIT image must have an associated compatible string. These compatible strings are used by UEFI to select the correct DTB at boot time.
> 
>     - The compatible strings are defined in `meta-qcom/conf/machine/include/fit-dtb-compatible.inc`.
>     - The values must be derived by referencing the DTB metadata available at: [https://github.com/qualcomm-linux/qcom-dtb-metadata](https://github.com/qualcomm-linux/qcom-dtb-metadata)
> 
> 
> 
>     For the RB3 Gen 2 Core Kit example, add the following entries:
> 
> 
> FIT_DTB_COMPATIBLE[qcs6490-rb3gen2] = " \
>             qcom,qcs5430-iot \
>             qcom,qcs6490-iot \
>             "
>         FIT_DTB_COMPATIBLE[qcs6490-rb3gen2+qcs6490-rb3gen2-industrial-mezzanine] = " \
>             qcom,qcs5430-iot-subtype9 \
>             qcom,qcs6490-iot-subtype9 \
>             "
>         FIT_DTB_COMPATIBLE[qcs6490-rb3gen2+qcs6490-rb3gen2-vision-mezzanine] = " \
>             qcom,qcs5430-iot-subtype2 \
>             qcom,qcs6490-iot-subtype2 \
>          "
>         Copy to clipboard
> 2. Enable multi-DTB packaging:
> 
> 
>     To package the generated FIT image as a VFAT image (`dtb.bin`), set the following variable in `meta-qcom/classes-recipe/image_types_qcom.bbclass`:
> 
> 
> QCOM_DTB_DEFAULT ?= "multi-dtb"
>         Copy to clipboard
> 
> 
>     When this variable is set to multi-dtb, the build system packages the combined FIT image containing all DTBs listed in `KERNEL_DEVICETREE` into `dtb.bin`.

#### Development kits without FIT image support

Some platforms do not support FIT‑based DTB selection. This includes certain ride development kits, such as:

- `qcs9100-ride-sx`
- `qcs8300-ride-sx`

For these kits, only a single DTB can be packaged into `dtb.bin`.
For example, the following snippet from `meta-qcom/conf/machine/qcs9100-ride-sx.conf` lists multiple DTBs:

> 
> 
> KERNEL_DEVICETREE ?= " \
>                          qcom/qcs9100-ride.dtb \
>                          qcom/qcs9100-ride-r3.dtb \
>                          qcom/sa8775p-ride.dtb \
>                          qcom/sa8775p-ride-r3.dtb \
>                          "
>     Copy to clipboard

Since FIT‑based DTB selection isn’t supported for this kit, a single DTB must be chosen as the default.
Set the `QCOM_DTB_DEFAULT` variable in the same machine configuration file as follows:

QCOM_DTB_DEFAULT ?= "qcs9100-ride-r3"
    Copy to clipboard

With this setting, only `qcs9100-ride-r3.dtb` is packaged into the VFAT image (`dtb.bin`) and used during boot.

### DTB partition

- The generated VFAT image named `dtb.bin` contains the combined DTB image.
A dedicated partition named `dtb` is present on the Qualcomm development kits. Flash the `dtb.bin` on this partition.
- UEFI parses the combined DTB present in the `dtb` partition
and selects a matching DTB for the hardware.

Last Published: May 10, 2026

[Previous Topic
System initscripts](https://docs.qualcomm.com/bundle/publicresource/80-80022-27/topics/system_initscripts.md) [Next Topic
Manage partitions in Qualcomm Linux](https://docs.qualcomm.com/bundle/publicresource/80-80022-27/topics/managing_partitions_in_qualcomm_linux.md)