i.MX93 encrypted linux

spawn — Wed, 12 Mar 2025 11:08:21 GMT

Hello,

I enabled secure-boot on my board, the bootloader containers
and linux are signed. The SRK fuses are configured, ahab_status returns
no errror, and auth_cntr successfully authenticate linux and then the
boot command succeed.

Now that I added the rootfs decryption key to the initramfs
that is embedded into the linux-dtb-initramfs container, I need to
encrypt this container.

I added the encryption command "[Install Secret Key] ... " to
the CSF file, signed+encrypted the linux-dtb-initramfs container using
CST, generated the blob on the board using the `dek_blob` command, then
added this 72-bytes blob to the signed+encrypted linux-dtb-initramfs
container to the offset returned by CST.

But now uboot is not happy and returns an error "Error:
ele_verify_image: ret -110, img_id 0, response 0x1". Do you know what is the problem ?

Re: i.MX93 encrypted linux

spawn — Wed, 12 Mar 2025 12:03:45 GMT

Unless its not possible to encrypt linux ? in which case the rootfs decryption key must not be stored in the initramfs but in ELE through keyctl ?

Re: i.MX93 encrypted linux

spawn — Wed, 12 Mar 2025 15:27:48 GMT

After more digging... I does not seem to be possible to use ELE through keyctl. What's left is the possibility to use keyctl with TEE. I will try that.

i.MX SolutionsのトピックRe: i.MX93 encrypted linux

i.MX93 encrypted linux

Re: i.MX93 encrypted linux

Re: i.MX93 encrypted linux