Signing debian base image

[Kit]

Hello,

I would like to stand up and manage my own PKI on and with usb armory mk ii, I can build the debian base image, and I've checked out the armory-boot repo so I know how to sign armory boot images, but I'm confused as to what I should sign during the make process for the debian image.

Should I sign the u-boot binary? or add a signed armory-boot at the start of the sd card?

Thanks!

[Andrea Barisani]

Hi,

if you are keen in developing in Go we recommend using our TamaGo framework to develop such applications.

If you would like a Linux based setup the secure boot instructions are here:

https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)

We provide documentation for signing the armory-boot image and maintain the root of trust using armory-boot, however we do not provide instructions on how to maintain the root-of-trust in Linux (as we leave that to the user choice), and that is essential to have a meaningful Secure Boot setup. For this reason we recommend an easier TamaGo unikernel to be signed (which doesn't require a bootloader and can be sign as shown at https://github.com/usbarmory/tamago-example/blob/0720577d395a4cac860ae937534638a07e652c92/Makefile#L204

I hope this helps.

Cheers