This guide outlines the steps to enable Thistle Verified Boot (TVB) on a BeagleY-AI using an Infineon OPTIGA™ Trust M as the hardware root of trust. By the end, your BeagleY-AI will only boot kernels signed by your Thistle Control Center project’s key, verified against the public key stored in the Trust M.

Prerequisites

  • BeagleY-AI board with power supply and necessary cables
  • Infineon OPTIGA Trust M secure element (on breakout board)
  • I²C wiring from Trust M to BeagleY-AI:
    • SDA → GPIO 2 (Physical Pin 3)
    • SCL → GPIO 3 (Physical Pin 5)
    • 3.3V Power
    • GND
  • MicroSD card (8 GB or larger)
  • BeagleY-AI OS image from BeagleBoard.org
  • Thistle Control Center account with:
    • A project
    • A Linux Kernel Verified Boot key pair
  • Host computer (Linux/macOS) with internet access
  • (Optional) USB UART cable for serial console access

Step 1: Flash the OS

  1. Download the BeagleY-AI image.

  2. Flash it to the SD card using dd:

    sudo dd if=beagley-ai-image.img of=/dev/sdX bs=4M status=progress && sync

  3. Insert the SD card into the BeagleY-AI and power it on.

  4. Log in if prompted (default credentials may vary).

Step 2: Sign the Kernel

  1. Mount the boot partition from the SD card:

    sudo mount /dev/sdX1 /mnt/boot

  2. Copy the Image file to your computer:

    cp /mnt/boot/Image ./Image

  3. In Thistle Control Center:

    • Navigate to your project → Signed Firmware
    • Click + Signed Firmware Bundle
    • Select:
      • Hardware: BeagleY-AI + OPTIGA Trust M
      • Firmware Type: Linux Kernel Verified Boot
      • Upload Image
    • Click Create

  4. Download the resulting kernel-sig file.

Step 3: Program the Trust M

  1. On the BeagleY-AI, download and unzip the Trust M tools:

    curl -LO https://storage.googleapis.com/thistle-blobs/bbai/trustm.zip
unzip trustm.zip
cd trustm/bin
sudo cp *.so /usr/lib

  2. Verify the Trust M:

    sudo trustm_chipinfo

  3. Copy your public key from Thistle Control Center and save it as project_pubkey.pem.

  4. Convert to Trust M format:

    openssl ec -pubin -in project_pubkey.pem -outform DER 2>/dev/null \
  | xxd -i -s 27 | xxd -r -p > pk

  5. Write the public key to slot 0xE0E8:

    sudo trustm_data -X -e -w 0xe0e8 -i pk

  6. (Optional) Lock the slot:

    sudo trustm_metadata -X -C n -w 0xe0e8

Step 4: Install Thistle Boot Assets

  1. Mount the SD card’s boot partition:

    sudo mount /dev/sdX1 /mnt/boot
cd /mnt/boot

  2. Backup existing boot files:

    mv u-boot.img u-boot.img.orig
mv boot.scr boot.scr.orig

  3. Download Thistle’s U-Boot and boot script:

    curl -O https://storage.googleapis.com/thistle-blobs/bbai/u-boot.img
curl -O https://storage.googleapis.com/thistle-blobs/bbai/boot.scr

  4. Copy the kernel-sig file to the boot partition:

    cp ~/Downloads/kernel-sig ./kernel-sig

  5. Sync and unmount:

    sync
sudo umount /mnt/boot

Step 5: Boot and Verify

  1. Insert the SD card into the BeagleY-AI and power it on.
  2. Use a serial console (115200 baud) to monitor the boot process.
  3. Look for messages indicating signature verification via Trust M.
  4. If valid, the kernel will boot normally.
  5. Log in and confirm the system is running with secure boot enabled.

Conclusion

You’ve successfully enabled Thistle Verified Boot on a BeagleY-AI with the Trust M secure element. Your device will now only boot kernels signed with your project’s private key, enhancing the security of your deployment.