The sbs_create tool implements a generator for Signed Block Stream (SBS) images as specified by the Bootloader Signed Block Stream of Commands specification.

The sbs_inspect tool dumps information about a given SBS image.


Copyright (C) 2020  Reto Buerki <>
Copyright (C) 2020  codelabs GmbH
Copyright (C) 2020  secunet Security Networks AG

This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later


The latest version of the SBS tools is available through git:

$ git clone


To compile the SBS tools on your system, you need to have the following software installed:

After the build, the tool binaries will be located in the bin directory.


Before you use the SBS tools on your system, it is recommended to test if everything works as expected. The SBS tools project contains a unit test suite which can be run by entering the following command:

$ make tests


An example GnuPG home directory containing a secret key without passphrase is provided in the data/gpg-homedir directory. Do not use this key for anything important, it is strictly intended for illustrative purposes.

The example key can be used to protect any data file using the sbs_create tool:

$ echo "protect me" > dat
$ bin/sbs_create -k data/gpg-homedir -i dat -o
Processing input file 'dat'
Input file size is 11 bytes, requiring 1 block(s)
Output files size is 66202 bytes
Signature length is 566 bytes
Processing 1 block(s)
Creating signature
Signed stream written to ''

The sbs_inspect tool can be used to display information about an SBS image:

$ bin/sbs_inspect -s
SBS file detected
Block count         : 1
Block size          : 65536
Block data length   : 65472
Signature length    : 566
Header size         : 100
Hashsum length      : 64
Padding length      : 65461
Hash algorithm ID 1 : HASH_SHA2_512
Hash algorithm ID 2 : HASH_NONE
Hash algorithm ID 3 : HASH_NONE
Hash algorithm ID 4 : HASH_NONE
Signature scheme    : SIGNATURE_PGP
Root hash           : 1255df4d21...

Checking hashes ...
Hashes valid

If the tool is called with the -v switch, each block hash in the chain of blocks is displayed as well.


  • The block size is fixed to 64k

  • Only SHA2-512 hashsums are implemented

  • Only PGP signatures using GnuPG are implemented

  • The GnuPG keyring in the specified homedir must only contain one RSA 4096 secret key

  • sbs_inspect does not validate signatures