Hi.
I am working on encrypted boot on i.MX6 and I would like to use one DEK in several builds. The goal is to keep the same DEK and do not let CST to generate new DEK each time it runs.
In the "backend code" of the Code Signing Toll (CST), file $(CST-HOME)/code/back_end/src/adapt_layer_openssl.c, function "gen_auth_encrypted_data(...)" has arguments "key_file" and "reuse_dek". However, there is not obvious way to provide this key_file name to the function.
After couple of tries I found out that the CST version 2.3.3 has a "hidden" command line argument "--dek" that (as I believe) should allow me to specify the DEK file name. Indeed, if I ran the tool with --dek argument, for example
../linux64/cst --o u-boot_csf.bin --i u-boot.csf --dek dek.bin
it does not complain and even prints some warning about key-reuse. However, then the tool crashes with "Segmentation fault (core dumped)".
So the question is: How can I reuse the DEK between CST runs?
Regards,
Michal
Solved! Go to Solution.
I try CST3.1.0 it can support dek.bin reuse.
cst -d -i cst.txt -o cst.bin
BR.
Tom.
I try CST3.1.0 it can support dek.bin reuse.
cst -d -i cst.txt -o cst.bin
BR.
Tom.
Hello,
Current CST implementations do not support the needed (DEK reuse) feature.
Please accept apologies for this inconvenience.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Jury.
Does NXP have plans to support this feature in a future CST releases?
If yes, can you share CST release plan?
Regards,
Michal
Hello,
I do not have such information.
You may try to create request to get more details.
https://community.nxp.com/docs/DOC-329745
Regards,
Yuri.