Hi everyone,
I’m working on a project involving the i.MX8 ULP platform, and I’ve got secure boot up and running. Now I’m in the process of implementing encrypted boot using the dek_blob. However, I’ve run into a challenge regarding how to handle encrypted updates across a large fleet of devices.
Here’s the situation:
My understanding is that the dek_blob is encrypted using the OTPMK (One Time Programmable Master Key), which is unique to each device. This would mean, for each device, I’d need a separate dek_blob and an individual encryption process for each update. With 5,000 devices distributed in various locations, this seems like it could become quite burdensome.
My question: How do others typically handle this kind of challenge? Specifically, what’s the best approach to managing encrypted updates for multiple devices that each require a unique dek_blob?
Some approaches I’ve been considering include:
- Burning a shared AES key (OEM KEK) into fuses (I believe this might be fuse bank 6, but I'd appreciate confirmation on this).
- Encrypting a shared key with an SRK (Secure Root Key) and delivering it within a container, creating a key_blob and using keyctl to store it in a keychain.
I’d love to hear from others who have worked through similar challenges or have advice on the most efficient and secure way to manage encrypted updates at scale.
Thanks in advance for any guidance or best practices you can share!
