I met issue when encrypting u-boot image by using CST. When I enabling image encryption. The CST hang for about 20 minutes, at last it returned but did not generate expected CSF bin, image not encrypted either, only generated dek.bin.
Here is my CSF file content:
[Header]
Version = 4.1
Hash Algorithm = SHA256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification Index = 0
# Key to install
Target Index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification Index = 2
# Address Offset Length Data File Path
Blocks = 0x177ff400 0x00000000 0x00000C10 "./u-boot.imx"
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "./dek.bin"
Key Length = 128
Blob Address = 0x1787fbb8
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x17800010 0x00000C10 0x7cff0 "./u-boot.imx"
When I remove the content after "#Encrypt the boot image and create a DEK" everything goes well.
Thanks for your help, I will have a try.
Hello,
Have You used the following ?
Encrypted boot loader on SabreSD i.MX6q board
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Yes, I am following steps in that pages.
The cst tries to get random data from /dev/random. This operation can block for long periods of time if there is no enough entropy in the machine. You can generate entropy by inserting data in /dev/random. Try to use this package:
On deb types: sudo apt-get install rng-tools
Then run sudo rngd -r /dev/urandom
before using the CST tool.
Thanks for your help.
By doing that I still can not to encrypt the image, I just got this output:
"
$ ../linux64/cst -o u-boot_csf.bin -i u-boot.csf
Encryption not enabled
"
The size of my CSF uboot.imx is 0x6cc00, and my CSF file looks like this:
[Header]
Version = 4.1
Hash Algorithm = SHA256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification Index = 0
# Key to install
Target Index = 2
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification Index = 2
# Address Offset Length Data File Path
Blocks = 0x877ff400 0x00000000 0x0006CC00 "./u-boot.imx"
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "./dek.bin"
Key Length = 128
Blob Address = 0x8786DF80
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x87800010 0x00000C10 0x6BFF0 "./u-boot.imx"
Could you please help?
The CST you are using has not encryption support. (The binary version distributed by NXP does not have encryption support enabled by default).
In order to enable it, you need to recompile the tool adding encryption support:
cd cst- 2.3 . 2 /code/back_end/src
|
Many thanks, I will have a try :-)
Could you make it work?
Many thanks for your help, the CST now can work, but I cannot get the encrypted u-boot run (only certification works fine), my encryption CSF configuration is:
================================================================
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
Target Index = 0
Key = "./dek.bin"
Key Length = 128
Blob Address = 0x8786DF80
#Provide DEK blob location to decrypt
[Decrypt Data]
Verification Index = 0
Mac Bytes = 16
Blocks = 0x87800000 0x00000C00 0x0006C000 "./u-boot.imx" # u-boot.bin region
================================================================
The u-boot.imx size is 0x0006CC00, u-boot.imx will be loaded at 0x877ff400.