Changing the OEM Boot Loader (Windows Embedded CE 6.0)

  • Article

1/5/2010

To support secure boot loading you must implement several changes in the device boot loader.

You can find the sample code in %_WINCEROOT%\Platform\Mainstoneiii\Src\Bootloader\Secure_eboot.

SBLMincrypt.lib contains the SBL_VerifyPacket function. You can find the definition in SBL.h. This library is available to OEMs who want to integrate enhanced boot loading technology into their products. The boot loader library transparently handles all aspects of RSA signature verification.

Public_keys.c format

The public_keys.c file is created by the OEM and must follow the required format. The following code example shows the required format.

#include "SBL_Test_public_key.h"
#include "SBL_Test_public_key1.h"
.
.
.
#include "SBL_Test_public_keyn.h"

const BYTE  *g_rgpbPublicKeys[] =
{
    grsa_SBL_Test_public_key,
};

const DWORD  g_rgdwKeyLengths[] =
{
    gdwKeyLen_SBL_Test_public_key,
};

const WORD g_wNumPublicKeys = sizeof( g_rgpbPublicKeys )/sizeof( g_rgpbPublicKeys[0] );

For an example, see the Public_keys.c file in %_WINCEROOT%\Platform\Mainstoneiii\Src\Bootloader\Secure_eboot.

This file includes the header files created by DumpKey and defines an array of public keys and public key lengths. The array is packaged in a PUBLICKEYDATA structure that is defined in SBL.h, along with additional parameters. This structure is passed to SBL_VerifyPacket. This allows the Secure Boot Loader library to support an arbitrary number of public keys and signature lengths during verification. There is no set maximum number of keys that you can use.

The boot loader must verify each packet before the packet is flashed onto the device. Additional code is provided in the samples regarding single records that have been broken up into a number of chunks. The sample code provides information regarding current chunk and total number of chunks so the boot loader can keep track of state during flashing.

Note

One consequence of the preceding procedure is that when a verification error occurs after the device has been partially flashed, it would make the device unusable. This is an implementation decision for the OEM. To avoid device failure, you can use a two-pass method in the boot loader to provide a verification check of the entire image before flashing.

See Also

Tasks

Creating an Enhanced Boot Loader

Concepts

Enhanced Boot Loader Security