https://community.nxp.com/t5/i-MX-Processors/Running-encrypted-image-on-i-mx6/m-p/302341#M38268 <HTML><HEAD></HEAD><BODY><P>Let's say we have encrypted image which have to be loaded and run at the i.MX6-based board. Image was created and encrypted at some build-server.</P><P>According to documentation it is possible to decrypt it using CAAM module but we need to specify keys to decrypt our image in some way.</P><P></P><P>The question is - how we could store keys for image decryption at the board (e.g. decryption could be made by u-boot)?</P><P>Is it possible to use OTPMK fuse block for storing keys (which is quite small)? Or there is another solution to handle such scenarios?</P><P></P><P>Also it is said that in order to run HAB authentication we need to burn some values onto OTPMK fuses block, would it be critical if we try to store our secret keys there?</P></BODY></HTML> Mon, 24 Mar 2014 10:03:38 GMT vadimlomovtsev 2014-03-24T10:03:38Z https://community.nxp.com/t5/i-MX-Processors/Running-encrypted-image-on-i-mx6/m-p/302341#M38268 <HTML><HEAD></HEAD><BODY><P>Let's say we have encrypted image which have to be loaded and run at the i.MX6-based board. Image was created and encrypted at some build-server.</P><P>According to documentation it is possible to decrypt it using CAAM module but we need to specify keys to decrypt our image in some way.</P><P></P><P>The question is - how we could store keys for image decryption at the board (e.g. decryption could be made by u-boot)?</P><P>Is it possible to use OTPMK fuse block for storing keys (which is quite small)? Or there is another solution to handle such scenarios?</P><P></P><P>Also it is said that in order to run HAB authentication we need to burn some values onto OTPMK fuses block, would it be critical if we try to store our secret keys there?</P></BODY></HTML> Mon, 24 Mar 2014 10:03:38 GMT https://community.nxp.com/t5/i-MX-Processors/Running-encrypted-image-on-i-mx6/m-p/302341#M38268 vadimlomovtsev 2014-03-24T10:03:38Z https://community.nxp.com/t5/i-MX-Processors/Running-encrypted-image-on-i-mx6/m-p/302342#M38269 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: 'Verdana','sans-serif';">The following thread provides some information about CAAM using</SPAN></P><P><SPAN style="font-family: 'Verdana','sans-serif';">for application encryption / decryption.&nbsp; </SPAN></P><P></P><P><SPAN style="font-family: 'Verdana','sans-serif';"><A class="jive-link-message-small" data-containerid="2004" data-containertype="14" data-objectid="362564" data-objecttype="2" href="https://community.freescale.com/message/362564#362564">https://community.freescale.com/message/362564#362564</A></SPAN></P><P></P><P><SPAN style="font-family: 'Verdana','sans-serif';">As for OTPMK, please refer to i.MX6 Security Reference Manual.</SPAN></P><P> <SPAN style="font-family: 'Verdana','sans-serif';">Note, the OTPMK is factory burned. This means blobs MUST be generated on the i.MX6 :</SPAN></P><P><SPAN style="font-family: 'Verdana','sans-serif';">the blob is the DEK (Data Encryption Key) encrypted with the OTP Master Key (programmed </SPAN></P><P><SPAN style="font-family: 'Verdana','sans-serif';">in fuses on the i.MX6). </SPAN></P><P><SPAN style="font-family: 'Verdana','sans-serif';">&nbsp; So, Your requirement to use own key to encrypt an image </SPAN><SPAN style="font-family: 'Verdana','sans-serif';">on an external server and decrypt </SPAN></P><P><SPAN style="font-family: 'Verdana','sans-serif';">it on the i.MX6 is not supported. <BR /><BR /><BR /></SPAN></P></BODY></HTML> Tue, 25 Mar 2014 07:07:13 GMT https://community.nxp.com/t5/i-MX-Processors/Running-encrypted-image-on-i-mx6/m-p/302342#M38269 Yuri 2014-03-25T07:07:13Z