Got through the HABv4 secure boot signing process and started to investigate encrypted boot (bare metal) to protect our IP, not for cloning protection.
The unique DEK is potentially a show-stopper for using this processor. We expect our CM to burn the SRK in the fuses. Aligned with other processors we're using, a key programmed into the fuses is used to decrypt an image (release build) that's created using a secure build environment to protect the keys. This doesn't seem to be the case for the NXP i.MX8M Plus et al.
If we generate a DEK using a processor in our secure environment, it seems like the CSF supports OTPMK or ZMK (or CMK even, but that's still based on OTPMK) as the "verification index" for the [Install Secret Key]. Here, 0/1 selects OTPMK from fuses, 2 selects ZMK from SNVS, and 3 selects CMK from SNVS.
Is it possible to use ZMK (still trying to figure out how the ZMK is actually derived). From the security manual it seems like it's still derived from the OTPMK but can be zeroized in case of a security failure...
Ideally, we'd like to mimic what we're doing on the FPGA--have fuses burned with some sort of key that can be used to decrypt an image from the same processor *family*--not per device. As mentioned, we have a secure build environment that releases thousands of copies of our FW into the field, and we expect that firmware to be encrypted by the secure build server, in conjunction with CMs programming the SRK, etc. I stumbled across some reference to "manufacturing mode" to create encryption keys based off the SRK but it seemed that link didn't go anywhere in the document--is this possible?
Can we create DEKs from SRK even in the secure build environment that can be deployed to multiple units to allow for FW updates in the field without requiring unique DEKs per device in the field?
So confused about this... an older forum post suggests that this method of operating isn't possible... https://community.nxp.com/t5/i-MX-Processors/Encrypted-image-per-i-mx6-unit/m-p/803116.
