https://community.nxp.com/t5/i-MX-Processors/How-install-data-on-integrity-protected-partitions-during/m-p/1284123#M174676 <P>When installing a new board support package from SD card<BR />on the emmc of our board the following steps happen:<BR />1. create a random key<BR />2. encrypt it<BR />3. store it on both the boot boot partition<BR />4. decrypt the key and store it in RAM<BR />5. we format the app end the home partition using the key from RAM<BR />and the command "integritysetup format"<BR />5. we open the app end the home partition using the key from RAM<BR />and the command "integritysetup open" and copy the data from SD<BR />card to eMMC<BR />6. we close the app and the home partition</P><P>When we later boot from eMMC, the key is loaded and decrypted and the protected partitions are mounted.</P><P>The question is, when can we burn the fuses, in particular the "secure boot" fuse such that the unique, per device key is used for integrity protection?</P><P>If we do that before encrypting the key using the command "caam_tool enc", will the caam tool detect that the device is a secure device? I think it will not, because the device only becomes a secure device after power cycling.</P><P>So how can I create a secure device AND use per-device key for integrity protection without having to power cycle the device twice during the installation process?</P><P>The web page <A href="https://github.com/f-secure-foundry/caam-keyblob/" target="_blank">https://github.com/f-secure-foundry/caam-keyblob/</A> says:<BR />"The secure operation of the CAAM and SNVS, in production deployments, should always be paired with Secure Boot activation."</P><P>Does this always requires an addition power cycling of the board before installing data on the secure partition?</P><P>Best regards:</P><P>Uwe Fechner</P> Fri, 28 May 2021 11:05:44 GMT ufechner 2021-05-28T11:05:44Z https://community.nxp.com/t5/i-MX-Processors/How-install-data-on-integrity-protected-partitions-during/m-p/1284123#M174676 <P>When installing a new board support package from SD card<BR />on the emmc of our board the following steps happen:<BR />1. create a random key<BR />2. encrypt it<BR />3. store it on both the boot boot partition<BR />4. decrypt the key and store it in RAM<BR />5. we format the app end the home partition using the key from RAM<BR />and the command "integritysetup format"<BR />5. we open the app end the home partition using the key from RAM<BR />and the command "integritysetup open" and copy the data from SD<BR />card to eMMC<BR />6. we close the app and the home partition</P><P>When we later boot from eMMC, the key is loaded and decrypted and the protected partitions are mounted.</P><P>The question is, when can we burn the fuses, in particular the "secure boot" fuse such that the unique, per device key is used for integrity protection?</P><P>If we do that before encrypting the key using the command "caam_tool enc", will the caam tool detect that the device is a secure device? I think it will not, because the device only becomes a secure device after power cycling.</P><P>So how can I create a secure device AND use per-device key for integrity protection without having to power cycle the device twice during the installation process?</P><P>The web page <A href="https://github.com/f-secure-foundry/caam-keyblob/" target="_blank">https://github.com/f-secure-foundry/caam-keyblob/</A> says:<BR />"The secure operation of the CAAM and SNVS, in production deployments, should always be paired with Secure Boot activation."</P><P>Does this always requires an addition power cycling of the board before installing data on the secure partition?</P><P>Best regards:</P><P>Uwe Fechner</P> Fri, 28 May 2021 11:05:44 GMT https://community.nxp.com/t5/i-MX-Processors/How-install-data-on-integrity-protected-partitions-during/m-p/1284123#M174676 ufechner 2021-05-28T11:05:44Z https://community.nxp.com/t5/i-MX-Processors/How-install-data-on-integrity-protected-partitions-during/m-p/1293647#M175614 <P>Hi&nbsp;<SPAN>Uwe</SPAN></P> <P>&nbsp;</P> <P><SPAN>from team:</SPAN></P> <P><SPAN>------------</SPAN></P> <P><SPAN>Yes. Secure boot need a new power cycle to enable. CAAM key blob only can be decapsulated in the same life cycle as it is created. So additional power cycle is need.</SPAN></P> <P><SPAN>------------</SPAN></P> <P>&nbsp;</P> <P>Best regards<BR />igor</P> Thu, 17 Jun 2021 00:10:29 GMT https://community.nxp.com/t5/i-MX-Processors/How-install-data-on-integrity-protected-partitions-during/m-p/1293647#M175614 igorpadykov 2021-06-17T00:10:29Z