Is it possible to sign/encrypt several bootstages?

patrickjakob · ‎10-18-2016

Dear i.MX Community,

is it possible to sign and/or encrypt with an i.MX6 several bootstages like U-Boot, DeviceTree, Kernel and Root-Filesystem?

Yuri · ‎10-19-2016

Hello,

Basically this is possible to encrypt several boot stages, but i.MX boot ROM

checks and run only the first stage, say, U-boot. Then this is U-boot prerogative
to load, check, start kernel. Boot ROM HAB API may be used by U-boot.

As for RootFS - if it cannot be fully located in DRAM, it would be better to apply

standard Linux approach, as eCryptfs.

Have a great day,

Yuri

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct

Answer button. Thank you!

------------------------------------------------------------------------------

patrickjakob · ‎10-19-2016

Dear Mr Muhin,

Yes i know i have to implement the check functions by myself and i can use the ROM HAB API to check the image. I guess there was a problem because every time i encrypt an image i have to create a key blob in U-Boot and i thought that i can only create one key blob so only for one boot stage. But probably i was wrong, so i can create several blobs for different boot stages, thanks for the information.

best regards,

Patrick Jakob

Yuri · ‎10-19-2016

Hello,

You can create several blobs. Please submit request, if more details

are needed.

How to submit a new question for NXP Support

Regards,

Yuri.

Is it possible to sign/encrypt several bootstages?

Is it possible to sign/encrypt several bootstages?

i.MX6_All

Linux