Skip to content

Signing a bootc image for secure boot

Signing a bootc image for secure boot

Follow this procedure to sign a bootc container image for Secure Boot. AutoSD supports two Secure Boot methods:

  • UEFI Secure Boot for non-Qualcomm boards
  • Android Verified Boot (AVB) for Qualcomm boards

Both methods use the same aib signing commands.

Prerequisites
  • aib (Automotive Image Builder) installed and configured. For installation instructions, see Installing Automotive Image Builder.
  • A manifest file (.aib.yml) defining the image. For details, see Creating a custom manifest.
  • Access to a signing key or hardware security module (HSM) capable of producing UEFI Secure Boot signatures.
  • Familiarity with the secure boot signing concepts described in Secure boot signing.
Signing workflow

  1. Build a bootc container image. Build the container image from your manifest:

    console $ aib build <manifest> <image>

    Replace <manifest> with the path to your manifest file (.aib.yml) and <image> with the desired container image name. The command produces a bootc container image stored in the local container registry.

    If the image requires additional modifications (for example, layering packages with a Containerfile or injecting configuration files), apply those changes to the container image before proceeding. All modifications must happen before the prepare-reseal step because any change that alters the initramfs after that point invalidates the Secure Boot signature.

  2. Generate a signing key. Generate an Ed25519 key pair for image sealing:

    console $ openssl genpkey -algorithm ed25519 -outform PEM -out private.pem

    Keep the private key secure. The prepare-reseal command injects the public portion into the initramfs.

    Tip

    For stronger protection of the private key on disk, consider generating a password-encrypted private key with OpenSSL instead of storing an unencrypted PEM file. Subsequent steps that use the key can prompt for the password when needed.

  3. Prepare the image for signing. Inject the public key into the initramfs and prepare the image for the signing workflow:

    console $ aib prepare-reseal --key private.pem <image> <prepared-image>

    Replace <image> with the unsigned container image from step 1 and <prepared-image> with the name for the prepared output image.

  4. Extract files for signing. Extract the boot-critical files (EFI executables and boot partition images) from the prepared image:

    console $ aib extract-for-signing <prepared-image> <signing-dir>

    Replace <signing-dir> with the directory where the extracted files should be placed.

  5. Sign the extracted files. Sign the files in <signing-dir> using your organization's signing infrastructure. The specific tooling depends on your public key infrastructure. Common options include pesign, sbsign, or a remote signing service connected to a Hardware Security Module (HSM).

    After signing, the files in <signing-dir> should contain valid secure boot signatures.

  6. Inject signed files and seal the image. Replace the unsigned files in the prepared image with the signed versions and reseal the image in a single step:

    console $ aib inject-signed --reseal-with-key private.pem <prepared-image> <signing-dir> <signed-image>

    The --reseal-with-key flag reseals the image with the private key after injecting the signed files. After this step, the image is finalized and no further modifications are possible.

  7. Convert to a disk image (optional). If you need a bootable disk image rather than a container image, convert it:

    console $ aib to-disk-image <signed-image> <output-file>

    Replace <output-file> with the desired disk image path. The format is inferred from the file extension (for example, .qcow2 or .img).