This notebook describes the procedure for creating a certificate block v1 using SPSDK (Secure Provisioning SDK). It provides a step-by-step guide on how to generate and structure the certificate block, which is crucial for secure boot processes and firmware signing in embedded systems. The notebook demonstrates the practical application of SPSDK tools to create a standardized and secure certificate block format.
For more detailed information about the certificate block format, you can refer to the following file:
SPSDK is needed with examples extension. pipinstallspsdk[examples] (Please refer to the installation documentation.)
Have already generated X.509 certificates for the project as per the requirements. (Refer to the Certificates in SPSDK documentation.)
In our scenario we will use already prepared X.509 certificates from example folder X.509 prepared certificates: ../_data/keys/rsa2048
Let’s prepare also workspace and variables.
# Initialization cellfromspsdk.utils.jupyter_utilsimportYamlDiffWidget# This env variable sets colored logger output to STDOUT%env JUPYTER_SPSDK=1
# Set a magic for command execution and echo%alias execute echo %l && %l
%alias_magic ! execute
env: JUPYTER_SPSDK=1
Created `%!` as an alias for `%execute`.
2. Prepare the certificate block configuration file#
As a staring point the template file has been got and modify to satisfy our requirements.
# Get Explanation of our configuration file changesYamlDiffWidget("./inputs/cert_block_v1.diffc").html
# ====================================================================================================================== # == Certificate V1 Settings == # ====================================================================================================================== # --------------------------------------===== Image Build Number [Optional] =====--------------------------------------- # Description: If it's omitted, it will be used 0 as default value. imageBuildNumber: 0Removed because the default value 0 fullfil our needs for example purposes # --------------------------------===== Chain certificate 0 for root 0 [Optional] =====--------------------------------- # Description: Chain certificate 0 for root certificate 0 chainCertificate0File0: chain_certificate0_depth0.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 1 for root 0 [Optional] =====--------------------------------- # Description: Chain certificate 1 for root certificate 0 chainCertificate0File1: chain_certificate0_depth1.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 2 for root 0 [Optional] =====--------------------------------- # Description: Chain certificate 2 for root certificate 0 chainCertificate0File2: chain_certificate0_depth2.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 3 for root 0 [Optional] =====--------------------------------- # Description: Chain certificate 3 for root certificate 0 chainCertificate0File3: chain_certificate0_depth3.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 0 for root 1 [Optional] =====--------------------------------- # Description: Chain certificate 0 for root certificate 1 chainCertificate1File0: chain_certificate1_depth0.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 1 for root 1 [Optional] =====--------------------------------- # Description: Chain certificate 1 for root certificate 1 chainCertificate1File1: chain_certificate1_depth1.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 2 for root 1 [Optional] =====--------------------------------- # Description: Chain certificate 2 for root certificate 1 chainCertificate1File2: chain_certificate1_depth2.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 3 for root 1 [Optional] =====--------------------------------- # Description: Chain certificate 3 for root certificate 1 chainCertificate1File3: chain_certificate1_depth3.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 0 for root 2 [Optional] =====--------------------------------- # Description: Chain certificate 0 for root certificate 2 chainCertificate2File0: chain_certificate2_depth0.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 1 for root 2 [Optional] =====--------------------------------- # Description: Chain certificate 1 for root certificate 2 chainCertificate2File1: chain_certificate2_depth1.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 2 for root 2 [Optional] =====--------------------------------- # Description: Chain certificate 2 for root certificate 2 chainCertificate2File2: chain_certificate2_depth2.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 3 for root 2 [Optional] =====--------------------------------- # Description: Chain certificate 3 for root certificate 2 chainCertificate2File3: chain_certificate2_depth3.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 0 for root 3 [Optional] =====--------------------------------- # Description: Chain certificate 0 for root certificate 3 chainCertificate3File0: chain_certificate3_depth0.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 1 for root 3 [Optional] =====--------------------------------- # Description: Chain certificate 1 for root certificate 3 chainCertificate3File1: chain_certificate3_depth1.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 2 for root 3 [Optional] =====--------------------------------- # Description: Chain certificate 2 for root certificate 3 chainCertificate3File2: chain_certificate3_depth2.pemUnused because we are not using chains of certificates in our example # --------------------------------===== Chain certificate 3 for root 3 [Optional] =====--------------------------------- # Description: Chain certificate 3 for root certificate 3 chainCertificate3File3: chain_certificate3_depth3.pemUnused because we are not using chains of certificates in our example # ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: my_certificate0.pubChange to existing path of Root of Trust key rootCertificate0File: ../../_data/keys/rsa2048/srk0_cert.pem # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: my_certificate1.pubChange to existing path of Root of Trust key rootCertificate1File: ../../_data/keys/rsa2048/srk1_cert.pem # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: my_certificate2.pubChange to existing path of Root of Trust key rootCertificate2File: ../../_data/keys/rsa2048/srk2_cert.pem # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: my_certificate3.pubChange to existing path of Root of Trust key rootCertificate3File: ../../_data/keys/rsa2048/srk3_cert.pem # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: cert_block.binModify the output path to our example needs. For output files in SPSDK workspace relative paths are
always relative to configuration file location. containerOutputFile: ../workspace/cert_block_v1.bin
# ====================================================================================================================== # == Root Keys Settings == # ====================================================================================================================== # -----------------------------===== Root Certificate File 0 [Conditionally required] =====----------------------------- # Description: Root certificate file index 0. rootCertificate0File: ../../_data/keys/rsa2048/srk0_cert.pemChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 1 [Optional] =====------------------------------------ # Description: Root certificate file index 1. rootCertificate1File: ../../_data/keys/rsa2048/srk1_cert.pemChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 2 [Optional] =====------------------------------------ # Description: Root certificate file index 2. rootCertificate2File: ../../_data/keys/rsa2048/srk2_cert.pemChange to existing path of Root of Trust key # ------------------------------------===== Root Certificate File 3 [Optional] =====------------------------------------ # Description: Root certificate file index 3. rootCertificate3File: ../../_data/keys/rsa2048/srk3_cert.pemChange to existing path of Root of Trust key # -----------------------------===== Main Certificate Index [Conditionally required] =====------------------------------ # Description: Index of certificate that is used as a main. If not defined, the certificate matching private key will be # selected. mainRootCertId: 0As good example we set the main root index of RoT to 0 # ====================================================================================================================== # == Basic Settings == # ====================================================================================================================== # --------------------------------------===== cert block filename [Required] =====-------------------------------------- # Description: Generated cert block filename. containerOutputFile: ../workspace/cert_block_v1.binModify the output path to our example needs. For output files in SPSDK workspace
relative paths are always relative to configuration file location.