Adding Support for Image Signatures (Windows Embedded CE 6.0)


To avoid downloading or running a bad run-time image, the boot loader may need to validate the run-time image before taking any action. You can provide a callback function, which the BLCOMMON library will call before writing a run-time image into flash memory.

You should leave the flash memory erase routines stubbed to avoid accidentally writing to or erasing blocks of data in flash memory until the whole run-time image is downloaded and its signature can be checked.

You can implement any kind of signature checking mechanism or you can use the CheckSignature routine provided in the BLCOMMON library. For more information, see OEMCheckSignature and %_WINCEROOT%\Public\Common\Oak\Drivers\Ethdbg\Blcommon.

The following code example shows how OEMCheckSignature is implemented.

BOOL OEMCheckSignature(DWORD dwImageStart, DWORD dwROMOffset, DWORD dwLaunchAddr, BOOL bDownloaded)
    // Check image signature here. 
    // FALSE means image failed signature check and BLCOMMON will 
    // abort the flash write or the launch operation.

When using BLCOMMON during boot loader initialization, for example, OEMDebugInit, the signature verification function pointer should be assigned to the OEM's signature routine.

For example, to have BLCOMMON call OEMCheckSignature to validate the image signature, you should do the following in OEMDebugInit.

g_pOEMCheckSignature = OEMCheckSignature;

Community Additions