DEK Blob generation for encrypted boot

spthx · ‎11-13-2024

Hi,

I would like to apply HAB (encrypted boot) to a product that uses i.MX8MN.
For encrypted boot, we need to generate a DEK Blob on the device side,
It is generated by calling dek_blob.pta in OP-TEE.

We have confirmed that using a DEK Blob generated with PRIBLOB=01 in CAAM, the device boots successfully from the encrypted image with the DEK Blob merged.
However, if a DEK Blob generated with PRIBLOB=11 is used, the boot fails.

For this reason, it seems that PRIBLOB cannot be set to 11 in order to generate Blobs that support encrypted boot when implementing the software update function.
However, it also seems that this setting is not recommended.

In view of the implementation of the software update function, could you please tell us about the best practice for DEK Blob generation?

Best regards,

spthx · ‎12-03-2024

Thank you.
However, you do not seem to have understood the question.
It did not answer the question.

Harvey021 · ‎11-28-2024

Hi,

I reply back to you via system service email regarding the secure case.

Regards

Harvey

DEK Blob generation for encrypted boot

DEK Blob generation for encrypted boot

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano