Secure Boot on MediaTek Genio, our partnership with Grinn

At Thistle, we believe secure boot should be easy to implement and not a multi-week engineering project. MediaTek Genio platforms like the Grinn Genio 700 SOM are gaining traction in edge AI and IoT deployments, but enabling secure boot on these boards has traditionally required deep platform knowledge, manual key management, and a fragile chain of signing steps.

In order to streamline this process, we partnered with Grinn with the aim to simplify Secure Boot integration work to a single command.

The problem with secure boot today

Secure boot on embedded platforms typically involves generating and safeguarding cryptographic key pairs, configuring multiple signing stages (TF-A, U-Boot, kernel), and carefully orchestrating the signing of each artifact in the right order with the right key. On MediaTek Genio specifically, the boot chain includes a Root of Trust key, eFuse keys, and FIT image keys, each serving a different role in the chain of trust from ROM to Linux.

Implementation time usually spans several weeks (if not months) and the result is a process that's error-prone, hard to automate, and tempting to skip entirely despite the security benefits.

One command

We extended our CLI tool trh (Thistle Release Helper) with a new sign subcommand. The entire secure boot signing flow for a MediaTek Genio board looks like this:

$ trh factory-sign mediatek --soc=mt8390 --input ./build/tmp/deploy/images/genio-700 --output ./signed-output

Point trh at your Yocto build directory, tell it where to put the output signed build, and it handles the rest: packaging the right artifacts, calling the signing service, and writing back a complete set of signed images ready to flash.

Under the hood, trh configures all the signing parameters: the Root of Trust key, eFuse key, U-Boot FIT image keys, anti-rollback counters, media type. We leverage our Cloud signing KMS (Key Management System), so that key management is done right from the beginning, and no software (or human being!) has access to the private signing keys.

What you get back

The output directory contains fully signed boot artifacts. Flash them to the board using the standard Grinn/MediaTek flashing tools, the same genio-flash workflow you already use, just with signed images instead of unsigned ones. The board boots with a verified chain of trust from ROM through TF-A and U-Boot all the way to Linux.

Why this matters

Secure boot adoption on embedded platforms is low, and it's not because teams don't care about security. It's because the tooling has historically made it painful. By collapsing the signing workflow into a single CLI call, backed by managed keys architecture, we remove the two biggest barriers: complexity and key management risk. If you're building on MediaTek Genio and want to enable secure boot without the usual overhead, check out the full setup guide or reach out to us directly !