- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: Meaning of the certificate argument to CST for encrypted boot
Meaning of the certificate argument to CST for encrypted boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Meaning of the certificate argument to CST for encrypted boot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
I am trying to get encrypted boot to work on an i.MX6. The sample command line (from ) to sign/encrypt an image for use with encrypted boot goes:
./cst -o csf.bin -c ./dek_rsa_key_crt.pem < u-boot_enc.csf
Can anybody tell me what the parameter "-c ./dek_rsa_key_crt.pem" does?
I assumed that it is used to protect the DEK for transport to the place where it is encrypted into a DEK blob on the target but then wondered:
- How can the target decrypt the DEK to re-encrypt it with the OTPMK?
- How do I generate the dek_rsa_key_crt.pem?
Regards
Florian
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Please refer to "HAB CodeSigning Tool User’s Guide" in CST package documentation.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri
Thank you for the Hint. I am aware of the manual, I even printed it into a booklet ;-)
The manual states:
--cert <cert_file>:
Public key certificate filename. Required when input CSF contains Install
Secret Key command(s). Symmetric key(s) are encrypted using the public key and
saved to a filename specified in the CSF command
and:
To generate out_csf.bin from input hab4.csf and public key certificate to encrypt symmetric key(s)
cst --o out_csf.bin --cert dek_protection_crt.pem < hab4.csf
I have the following specific questions:
- Does the target decrypt the DEK with the dek_protection_crt.pem counterpart?
Is that counterpart embedded in the CSF?
or stated in another way: Can I upload the resulting dek.bin directly onto the target for wrapping? - What are the requirements for the dek_protection_crt.pem?
Regards
Florian
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am not sure if encryption boot details may be dicussed here.
Please create request :
How to submit a new question for NXP Support
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you answer this here pls?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri
OK, thank you, I will do that!
Regards Florian
