Hi,
I have closed config the board and could encapsulate and decacpsulate black blob on it in secure mode.
The questions are,
how to chage security configuration of a SOC from fab configuration to closed configuration? This board is already closed config enabled.
已解决! 转到解答。
Hello,
The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM.
The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.
Regards,
Yuri
Hello,
In order to generate a blob with the CAAM OTPMK, a secure boot with HAB should be
in closed config, otherwise the blob will be created using CAAM default master key.
OTPMK, when burned (“the OTPMK are burned by Freescale prior to shipping the device”),
is unique and is used as the Key Encryption Key, therefore for different boards encrypted
data may be the same, if the same Key is applied for encryption, but encrypted key part
of the blob should differ.
One can determine if a valid OTPMK has been burned by checking the OTPMK_ZERO
bit in the SNVS_HP Status Register.
Best regards
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi,
Thanks for prompt response.
HAB is closed config, which signifies OTPMK is involved in BLOB generation. If the data encrypted from black blob created from same user key, is going to be same;
Then what is the role of OTPMK in encryption/decryption. The assumption was, as OTPMK is unique per SOC, both blob genrarted along with encrypted data will be unique per SOC and can not be decrypted on other SOC, which in this case is happening when I am creating Black blob using same user key and successfully decrypting data encrypted from other board.
And is there any way to do hardware specific en/decryption?
Thanks again,
Swapnil
Hello,
The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM.
The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.
Regards,
Yuri