This guide outlines the steps to enable Thistle Verified Boot (TVB) on a BeagleBone Black using an Infineon OPTIGA™ Trust M as the hardware root of trust. By the end, your BeagleBone Black will only boot kernels signed by your Thistle Control Center project’s key, verified against the public key stored in the Trust M.

Prerequisites

  • BeagleBone Black board with power supply and necessary cables
  • Infineon OPTIGA Trust M secure element (on breakout board)
  • I²C wiring from Trust M to BeagleBone Black:
    • SDA → Pin 19
    • SCL → Pin 20
    • 3.3V Power
    • GND
  • MicroSD card (8 GB or larger)
  • Thistle Yocto image: Download link
  • Thistle Control Center account with:
    • A project
    • A Linux Kernel Verified Boot key pair
  • Host computer (Linux/macOS) with internet access
  • (Optional) USB UART cable for serial console access

Step 1: Flash the OS

  1. Download the Thistle Yocto image.

  2. Flash it to the SD card using dd:

    sudo dd if=core-image-minimal-beaglebone-yocto-20230706145208.rootfs.wic of=/dev/sdX bs=4M status=progress && sync

  3. Insert the SD card into the BeagleBone Black and power it on.

  4. Log in if prompted (default credentials may vary).

Step 2: Sign the Kernel

  1. Mount the boot partition from the SD card:

    sudo mount /dev/sdX1 /mnt/boot

  2. Copy the Image file to your computer:

    cp /mnt/boot/Image ./Image

  3. In Thistle Control Center:

    • Navigate to your project → Signed Firmware
    • Click + Signed Firmware Bundle
    • Select:
      • Hardware: BeagleBone Black + OPTIGA Trust M
      • Firmware Type: Linux Kernel Verified Boot
      • Upload Image
    • Click Create

  4. Download the resulting kernel-sig file.

Step 3: Program the Trust M

  1. On the BeagleBone Black, the necessary Trust M tools are included in the Thistle Yocto image.

  2. Verify the Trust M:

    sudo trustm_chipinfo

  3. Copy your public key from Thistle Control Center and save it as project_pubkey.pem.

  4. Convert to Trust M format:

    openssl ec -pubin -in project_pubkey.pem -outform DER 2>/dev/null \
  | xxd -i -s 27 | xxd -r -p > pk

  5. Write the public key to slot 0xE0E8:

    sudo trustm_data -X -e -w 0xe0e8 -i pk

  6. (Optional) Lock the slot:

    sudo trustm_metadata -X -C n -w 0xe0e8

Step 4: Install Thistle Boot Assets

  1. Mount the SD card’s boot partition:

    sudo mount /dev/sdX1 /mnt/boot
cd /mnt/boot

  2. Backup existing boot files:

    mv boot.scr boot.scr.orig
mv u-boot.img u-boot.img.orig

  3. Download Thistle’s U-Boot and boot script:

    curl -O https://storage.googleapis.com/thistle-blobs/bbb/boot.scr
curl -O https://storage.googleapis.com/thistle-blobs/bbb/u-boot.img

  4. Copy the kernel-sig file to the boot partition:

    cp ~/Downloads/kernel-sig ./kernel-sig

  5. Sync and unmount:

    sync
sudo umount /mnt/boot

Step 5: Boot and Verify

  1. Insert the SD card into the BeagleBone Black.

  2. Press and hold the USER button while powering on the board to boot from the SD card.

  3. Release the button when U-Boot starts.

  4. Use a serial console (115200 baud) to monitor the boot process.

  5. Look for messages indicating signature verification via Trust M, such as:

    Reading TrustM at slot 0xe0e8

  6. If valid, the kernel will boot normally.

  7. Log in and confirm the system is running with secure boot enabled.

Conclusion

You’ve successfully enabled Thistle Verified Boot on a BeagleBone Black with the Trust M secure element. Your device will now only boot kernels signed with your project’s private key, enhancing the security of your deployment.