Some images are not signed(as shown below). Can I add a signature or enable oem_sign in the flash_t194_sdmmc.xml

Hi,we want to check the secure boot to make sure it comply with company safety requirements.
So there Some details need to be worked out.
Some images are not signed(as shown below). Can I add a signature or enable oem_sign in the flash_t194_sdmmc.xml?
like kernel partition
BCT
MB1_BCT
MEM_BCT
SMD
VER
secondary_gpt
master_boot_record
primary_gpt
xusb-fw
BOOTCTRLNAME
CPUBL-CFG

hello Username1,

some of them were actually sign and encrypt with your own keys.
you may check flashing logs.
for example,

[ 105.4015 ] tegradevflash_v2 --write MB1_BCT mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
[ 105.4028 ] Bootloader version 01.00.0000
[ 105.5331 ] Writing partition MB1_BCT with mb1_cold_boot_bct_MB1_sigheader.bct.encrypt
[ 105.5336 ] [................................................] 100%
[ 105.7205 ] tegradevflash_v2 --write MEM_BCT mem_coldboot_sigheader.bct.encrypt
[ 105.7214 ] Bootloader version 01.00.0000
[ 105.8534 ] Writing partition MEM_BCT with mem_coldboot_sigheader.bct.encrypt
[ 105.8540 ] [................................................] 100%

hello JerryChang,

1 for MB1_BCT and MEM_BCT
I did not set oem_sign=“true” in the flash_t194_sdmmc.xml,so the sign and encrypt is the same with the other image?
2 for the below image,we can see that ,it did not signed or encryot
[ 233.0325 ] tegradevflash_v2 --write BCT br_bct_BR.bct
[ 233.0346 ] Bootloader version 01.00.0000
[ 233.0375 ] Writing partition BCT with br_bct_BR.bct
[ 233.0385 ] […] 100%

[ 9.9335 ] Writing partition SMD with slot_metadata.bin
[ 9.9530 ] […] 100%
[ 9.9542 ] Writing partition SMD_b with slot_metadata.bin

[ 9.9694 ] Writing partition VER_b with emmc_bootblob_ver.txt
[ 9.9839 ] […] 100%
[ 9.9881 ] Writing partition VER with emmc_bootblob_ver.txt

[ 8.8099 ] Writing partition secondary_gpt with gpt_secondary_0_3.bin
[ 8.8114 ] […] 100%

[ 9.5951 ] Writing partition master_boot_record with mbr_1_3.bin
[ 9.5965 ] […] 100%

[ 9.5968 ] Writing partition primary_gpt with gpt_primary_1_3.bin
[ 9.6032 ] […] 100%

[ 9.6048 ] Writing partition secondary_gpt with gpt_secondary_1_3.bin
[ 9.6265 ] […] 100%

[ 229.1452 ] Writing partition xusb-fw with xusb_sil_rel_fw
[ 229.1570 ] […] 100%
[ 229.1619 ] Writing partition xusb-fw_b with xusb_sil_rel_fw
[ 229.1686 ] […] 100%

My question is can I add a signature or enable oem_sign in the flash_t194_sdmmc.xml?

hello Username1,

we may need more details about your use-case, what’s your safety requirements exactly.

there’s PKC used to ensure data integrity.
with PKC protection, if there’s any boot code changes or corruption, boot should not be able to go through.
there’s SBK to protect data confidentiality.
with SBK protection, boot code should be properly encrypted, it will check signature for boot.

BTW, below were already under PKC/SBK protection.
BCT
MB1_BCT
MEM_BCT

Hello JerryChang,

   we want to check if all the partition had sign and verify,if you make sure that the below partition had sign
   *BCT*
   *MB1_BCT*
   *MEM_BCT*

   what about the below partition?
  SMD
  VER
  secondary_gpt
  master_boot_record
 primary_gpt
 xusb-fw
 BOOTCTRLNAME
 CPUBL-CFG

hello Username1,

to clarify, do you have a request to have ALL partitions to be signed and encrypted?

  1. below were used to control disk formats. they are used to control boot flow.
    secondary_gpt
    master_boot_record
    primary_gpt

  2. these were in a clear text, it’s not boot code, they are also used to control boot flow.
    SMD
    VER
    BOOTCTRLNAME
    CPUBL-CFG

  3. this is the only piece that is unsigned and has not encrypted.
    xusb-fw

hello @Username1,

may I have your feedbacks regarding to post #8.
thanks