How is the blob encryption mechanism used to linux user space on ls1043ardb?

binhua_fan · ‎06-13-2019

Hello,

We need to use blob encryption mechanism to encrypt data, which is storaged in nand flash. We had been tried to add and modified the source codes according to Generate Blob Under Linux_V2.pdf (https://community.nxp.com/docs/DOC-335353), but failed and can not compile successfully. The document (Generate Blob Under Linux_V2.pdf) is used to i.MX Processors, could you provide the source codes and methods which can support ls1043ardb board?

Thank you very much.

Binhua

yipingwang · ‎07-14-2019

To establish chain of trust with confidentiality, cryptographic blob mechanism can be used. In this chain of trust, validated image is allowed to use the One Time Programmable Master Key to decrypt system secrets. Two bootscripts are to be used. First encapboot scripts is used which creates a blob of the next level images(e.g. MC, LINUX etc.) and saves them on flash. After this the system is booted after replacing the encap bootscript with decap bootscript which decapsulates the blobs and start MC and LINUX

Get Images on DDR
.
.
.
# Create the Blobs
blob enc <Img1 addr> <Img1 dest addr> <Img1 size> <key_modifier address>
blob enc <Img2 addr> <Img2 dest addr> <Img2 size> <key_modifier address>
blob enc <Img3 addr> <Img3 dest addr> <Img3 size> <key_modifier address>
.
.
.
Save The Blobs created on Flash
.
.
.
# End of Encap Boot Script (This is one time only and must be replaced with decap Boot Script)

For details, please refer to the section "Chain of Trust with confidentiality" in LSDK user manual.

How is the blob encryption mechanism used to linux user space on ls1043ardb?

How is the blob encryption mechanism used to linux user space on ls1043ardb?

QorIQ LS1 Devices