Skip to content

Mfournier/ti secureappnote update #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
StaticRocket merged 2 commits into from
Oct 16, 2025
Merged

Mfournier/ti secureappnote update #484

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
21af942
fix(android): update ta keys name extension
FournierMx Oct 15, 2025
908c005
feat(android): add note for avbtool dependency
FournierMx Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions source/android/Application_Notes_Android_Secure_Build.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,8 @@
$ cd ${YOUR_PATH}/ti-bootloader-aosp/build
$ ./secure.sh generate_ta_keys
$ ls -1 .keys/
ta.key
ta_pub.key
ta.pem
ta_pub.pem

- Generate AVB public/private keys:

Expand All @@ -66,6 +66,19 @@

That will generate ``avb.key`` and ``avb_pub.key`` under ``build/.keys``.

.. note::

**Dependency on avbtool**:

The ``./secure.sh generate_avb_keys`` command has a dependency on the ``avbtool`` binary.
The tool is present in the kernel repository at ``prebuilts/kernel-build-tools/linux-x86/bin/avbtool``.
If the command fails with the message: ``avbtool: command not found``, update your ``PATH``

Check warning on line 75 in source/android/Application_Notes_Android_Secure_Build.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Spelling] Verify the word 'avbtool'. It is not in the American English spelling dictionary used by Vale.

Raw Output:
{"message": "[RedHat.Spelling] Verify the word 'avbtool'. It is not in the American English spelling dictionary used by Vale.", "location": {"path": "source/android/Application_Notes_Android_Secure_Build.rst", "range": {"start": {"line": 75, "column": 45}}}, "severity": "WARNING"}
environment variable to include the avbtool path:

Check warning on line 76 in source/android/Application_Notes_Android_Secure_Build.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Spelling] Verify the word 'avbtool'. It is not in the American English spelling dictionary used by Vale.

Raw Output:
{"message": "[RedHat.Spelling] Verify the word 'avbtool'. It is not in the American English spelling dictionary used by Vale.", "location": {"path": "source/android/Application_Notes_Android_Secure_Build.rst", "range": {"start": {"line": 76, "column": 40}}}, "severity": "WARNING"}

.. code-block:: console

$ export PATH=$PATH:${YOUR_PATH}/ti-kernel-aosp/prebuilts/kernel-build-tools/linux-x86/bin

The bootloaders scripts will detect that ``avb_pub.key`` is present and will include it into U-Boot.

.. ifconfig:: CONFIG_part_variant in ('AM62X')
Expand Down Expand Up @@ -94,9 +107,9 @@
+---------------------+-----------------------------------------------------------------------------+
| ``avb_pub.key`` | (Optional) Public key used by U-Boot to verify Android images |
+---------------------+-----------------------------------------------------------------------------+
| ``ta.key`` | (Optional) Private key used to sign Trusted Application (OP-TEE) |
| ``ta.pem`` | (Optional) Private key used to sign Trusted Application (OP-TEE) |

Check warning on line 110 in source/android/Application_Notes_Android_Secure_Build.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/android/Application_Notes_Android_Secure_Build.rst", "range": {"start": {"line": 110, "column": 88}}}, "severity": "INFO"}
+---------------------+-----------------------------------------------------------------------------+
| ``ta_pub.key`` | (Optional) Public key used to sign Trusted Application (OP-TEE) |
| ``ta_pub.pem`` | (Optional) Public key used to sign Trusted Application (OP-TEE) |

Check warning on line 112 in source/android/Application_Notes_Android_Secure_Build.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'TEE') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/android/Application_Notes_Android_Secure_Build.rst", "range": {"start": {"line": 112, "column": 87}}}, "severity": "INFO"}
+---------------------+-----------------------------------------------------------------------------+


Expand Down