BOARD imxrt1020evk.
I was not answered the previous question, I am creating a new one. Using your encryption utility enc_image.
enc_operation.c (func - void handle_data_enc_ctr(uint8_t *key, uint8_t *nonce, uint8_t *buf, size_t length))
I change your source code, because it didn't work fine.
#if 0 //BUGS CODE DETECTED
mbedtls_aes_crypt_ctr(&ctx, length, &offset, nonce, stream_block, buf, buf); //this code don't encrypt any data !!!
#else
mbedtls_aes_crypt_ctr(&ctx, length, &offset, nonce, stream_block, buf, out_buf); //this code work fine
memcpy(buf, out_buf, length);
#endif
Build this code: gcc *.c -lmbedtls -lmbedx509 -lmbedcrypto -o image_enc
After that:
./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted_ctr.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted_ctr.bin of=flexspi_nor_edma_transfer_bee_encrypted_ctr_remove1K.bin skip=1 bs=1024 count=200
Generate encrypt sb file
./elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_ctr_remove1K.bin
Generate burn_fuse sb file
./elftosb -f kinetis -V -c burn_fuse.bd -o burn_fuse.sb
Flash images
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb
BOARD NOT LOAD FROM FLEXSPI!!!
the same result with AEC ECB when try:
./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted_ctr.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
I read efuse:
./blhost -p /dev/ttyACM0,115200 efuse-read-once 6 - 0x3000 by secure datasheet 0x460[13,12] - set 12,13 bit - BEE_KEY0_SEL from SW_GP2
AES_KEY:(my key is 0123456789abcdeffedcba9876543210)
/blhost -p /dev/ttyACM0,115200 efuse-read-once 41 - 0x76543210
./blhost -p /dev/ttyACM0,115200 efuse-read-once 42 - 0xfedcba98
./blhost -p /dev/ttyACM0,115200 efuse-read-once 43 - 0x89abcdef
./blhost -p /dev/ttyACM0,115200 efuse-read-once 44 - 0x01234567
KIB0 and PRDB0 located in flexspi by offset 0x400 and 0x480. you write this data with a utility enc_image.
Has anyone checked the functionality of this utility??? Perhaps there is a working version of this utility(enc_image)? So far the impression is that nothing is working AES ECB - don't work, AES CTR - don't work. Bee encryption on the fly don't work....
Solved! Go to Solution.
Everything works well, the utility enc_image code was correct, I did not use it that way. I check BEE AES ECB(with zero keys and random keys) - work good.
I check BEE AES CTR(with zero keys and random keys) - work good.
If anyone can help, I am attaching a set of files and a brief instruction for flashing the board for Linux, with and without encryption. I apologize for my post above about the non-working code. All work fine. For Windows, use ready-made software from NXP
Everything works well, the utility enc_image code was correct, I did not use it that way. I check BEE AES ECB(with zero keys and random keys) - work good.
I check BEE AES CTR(with zero keys and random keys) - work good.
If anyone can help, I am attaching a set of files and a brief instruction for flashing the board for Linux, with and without encryption. I apologize for my post above about the non-working code. All work fine. For Windows, use ready-made software from NXP
I am sending you an archive with the files that I got and which I used. Perhaps you can help me with my problem.
flexspi_nor_edma_transfer_bee_encrypted_ctr_remove1K.bin - AES CTR encrypt file
flexspi_nor_edma_transfer_bee_encrypted_ecb_remove1K.bin - AES ECB encrypt file
burn_fuse.bd - file for burn fuse
program_imxrt1020_qspi_encrypt_sw_gp2.bd - for program flash
./blhost -p /dev/ttyACM0,115200 read-memory 0x60000000 40000 test_ctr.bin - use for read data from flexspi after program AES CTR encrypt file
./blhost -p /dev/ttyACM0,115200 read-memory 0x60000000 40000 test_ecb.bin - use for read data from flexspi after program AES ECB encrypt file.
In this files(test_ctr.bin, test_ecb.bin)
0x400 offset - try decrypt manually data for kib.iv and kib.key with AES ECB and AESKEY =0123456789abcdeffedcba9876543210. Result OK, I get zero kib.iv and kib.key
0x480 offset - try decrypt manually data for protect region block with zero kib.iv and kib.key with AES CBC - Result OK. all protect region is correct.
I don’t know what exactly the bootROM doesn’t like. How it work's? You can check what is wrong in my binary data, I have provided all the keys and encrypted data to you.
AES key (0123456789abcdeffedcba9876543210)
kib.iv and kib.key - zero keys.
AES CTR encrypt binary file - test_ctr.bin
AES CBC encrypt binary file test_ecb.bin
It works with AES ECB method. I don't fuse XIP encrypt(450[0] - BOOT_CFG[0]) - I was afraid of getting a broken board. To enable this mode(XIP encrypt), just install SW8(1-ON (encrypt XIP) 3-ON(load from Flex)). And all work good. I read data from flash to temp file (./blhost -p /dev/ttyACM0,115200 read-memory 0x60000000 40000 test_ecb.bin) - and all my region is encrypt.
Later i try use AES CTR mode. AES ECB Bee encrypt/decrypt on the fly work good.