.. _secure_boot: Secure Boot ########### Overview ******** Secure Boot ensures that only authenticated firmware is executed by verifying digital signatures before booting. The ECDSA P-256 curves have been validated and optimized for Atmosic SoC for improved performance and security. By default, ECDSA P-256 is used when building for Atmosic EVKs. Key Generation ************** To generate a key file for signing firmware images, use ``bootloader/mcuboot/scripts/imgtool.py``, which is part of MCUboot. For example, to generate an ECDSA P-256 key: .. code-block:: bash imgtool.py keygen -k my_ecdsa_p256_key.pem -t ecdsa-p256 Key Configuration ***************** To specify the generated .pem key file for signing, set the ``-DCONFIG_BOOT_SIGNATURE_KEY_FILE=\"\"`` option when building **both the MCUboot and the application** (not needed for the SPE). If a key file is not explicitly specified, MCUboot uses its default test keys, which should not be used in production for security reasons. Building with Custom Keys ************************* Building MCUboot ================ For example, to build MCUboot with the ECDSA P-256 key generated above: .. code-block:: bash west build -p -s -b @mcuboot_bl -d build// -- -DCONFIG_BOOT_SIGNATURE_KEY_FILE=\"/my_ecdsa_p256_key.pem\" Building the Application ======================== To build the application with the ECDSA P-256 key generated above: .. code-block:: bash west build -p -s -b @mcuboot -d build// -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"/my_ecdsa_p256_key.pem\" Building with Sysbuild ====================== To build all images with the ECDSA P-256 key generated above using sysbuild: .. code-block:: bash west build -p -s -b @mcuboot --sysbuild -T -DSB_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"/my_ecdsa_p256_key.pem\" .. note:: The ```` is named with ``.mcuboot`` in sample.yaml of ```` folder. Refer to the :ref:`Sysbuild and Flash ` for usage details of sysbuild.