Creating an Enhanced Boot Loader (Windows Embedded CE 6.0)

1/5/2010

With enhanced boot loading technology you can minimize flashing arbitrary code to devices. Once an image has been packaged in a .bin file or a raw format such as .nb0 and is ready to be flashed, you can sign the image with a utility that uses your private key. The boot loader is compiled with the corresponding public key(s) allowing for asymmetric public and private key verification. As the boot loader prepares to flash the device with the new image, the signature is checked against the compiled public key(s). If validation succeeds, the boot loader has an image that originated from a verifiable source.

To create an enhanced boot loader

  1. Use DumpKey.exe to acquire the public key of a user certificate on a Windows XP computer.

    This file is located in %_WINCEROOT%\Public\Common\Oak\Bin\I386.

  2. Create the public_key.h header file.

  3. Implement the boot loader by using the Enhanced Boot Loader Library and the example code as a guide.

    **You can find the sample code in %_WINCEROOT%\Platform\Mainstoneiii\Src\Bootloader\Secure_eboot. You can find the SBL.h header file at %_WINCEROOT%\Public\Common\Oak\Inc.

    The source code will include public_key.h that you created in step 2 and will link to the following libraries: Mincrypt.lib, Loadauth.lib, and SBLMincrypt.lib. You can find these libraries in %_WINCEROOT%\Public\Common\Oak\Lib\<cpu>\<debug|retail>\.**

  4. Use ImageHash.exe to sign the image with a private key selected from a user certificate on a Windows XP computer. You use the same computer as in step 1.

  5. Use the boot loader to load the signed image that you created in step 4.

See Also

Concepts

Enhanced Boot Loader Security
Flashing Recommendations
Best Practices for Enhancing Boot Loader Security
Changing the OEM Boot Loader
Signing the .bin File