Hello Guys,
An explanation of encrypted boot in the document of CST tool is as follows:
The encrypted boot case is very similar to generating signed images, but there are two main differences. The first is that the binary image is both decrypted and authenticated using a symmetric key rather than signed using a private asymmetric key. The second is the CST generates a one-time AES Data Encryption Key (DEK) which is used to encrypt the image.
A cryptographic blob of the DEK must be created during the OEM manufacturing stages on each processor and then attached to the image on the boot device. The reason for this is the DEK blob is created using the device unique key embedded into the Freescale processor which is only readable by the on-chip encryption engine. The DEK is common to all ICs using the same encrypted image but the DEK blob is unique per IC.
Thanks & Greets,
Satya
Solved! Go to Solution.
Hello,
I hope the following helps
Regards,
Yuri.
Please refer chapter 4.11 "High Assurance Boot" of Security Reference Manual for i.MX6 Families of Applications Processors.
Have a great day,
Victor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello Victor,
Thank you for the reply. I am sorry to say some of my questions remain unaswered. For example:
2. I think I found a way of to generate the blob, actually a patch: [U-Boot] [PATCH] imx6: Added DEK blob generator command
I haven't tried but hope it works. I can only try it after I have clarity about the above step.
Greets,
Satya