Secure-boot chains in embedded systems have largely converged on common building blocks like FIT, dm-verity or UKIs.

The bootloader is anchored in hardware trust, then verifies an operating system image, and the chain continues, eventually covering the application.

But there is a gap when it comes to adding unit-specific bits of information, such as per-device configuration, hardware calibration, or MAC addresses needed early in boot.

In this segment, I present the TLV framework recently added to the barebox bootloader, to which I contributed signature support. It allows device-specific key-value pairs to become part of the secure-boot chain from early on, providing the system with authenticated, replay-protected per-unit data.

This short presentation discusses - factory data and its relevance to a secure-boot chain - the barebox implementation using a signed Tag-Length-Value format - when and how to prevent interchange of TLV blobs across units - integration of the new feature