Hi,
The signtool utility is provided to create encrypted/signed boot streams for the BF70x, but the signing is done using 224-bit ECDSA - it doesn't support SHA-1. You would have to use a third party tool (on the host PC, for example) to generate the hash and keys for lockbox on the BF54x, as described in Chapter 16 'Security' of the ADSP-BF54x Blackfin Processor Hardware Reference Manual.
http://www.analog.com/blackfin/manuals
Regards,
Craig.
