Meaning of the certificate argument to CST for encrypted boot

floriandoerfler · ‎03-10-2016

Hi All

I am trying to get encrypted boot to work on an i.MX6. The sample command line (from ) to sign/encrypt an image for use with encrypted boot goes:

./cst -o csf.bin -c ./dek_rsa_key_crt.pem < u-boot_enc.csf

Can anybody tell me what the parameter "-c ./dek_rsa_key_crt.pem" does?

I assumed that it is used to protect the DEK for transport to the place where it is encrypted into a DEK blob on the target but then wondered:

- How can the target decrypt the DEK to re-encrypt it with the OTPMK?

- How do I generate the dek_rsa_key_crt.pem?

Regards

Florian

Yuri · ‎03-10-2016

Hello,

Please refer to "HAB CodeSigning Tool User’s Guide" in CST package documentation.

NXP Code Signing Tool for the High Assurance Boot library. Provides software code signing support de...

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

floriandoerfler · ‎03-14-2016

Hi Yuri

Thank you for the Hint. I am aware of the manual, I even printed it into a booklet ;-)

The manual states:

--cert <cert_file>:

Public key certificate filename. Required when input CSF contains Install

Secret Key command(s). Symmetric key(s) are encrypted using the public key and

saved to a filename specified in the CSF command

and:

To generate out_csf.bin from input hab4.csf and public key certificate to encrypt symmetric key(s)

cst --o out_csf.bin --cert dek_protection_crt.pem < hab4.csf

I have the following specific questions:

Does the target decrypt the DEK with the dek_protection_crt.pem counterpart?
Is that counterpart embedded in the CSF?
or stated in another way: Can I upload the resulting dek.bin directly onto the target for wrapping?
What are the requirements for the dek_protection_crt.pem?

Regards

Florian

Yuri · ‎03-15-2016

Hello,

I am not sure if encryption boot details may be dicussed here.

Please create request :

How to submit a new question for NXP Support

Regards,

Yuri.

jmmorenog · ‎03-19-2024

can you answer this here pls?

floriandoerfler · ‎03-15-2016

Hi Yuri

OK, thank you, I will do that!

Regards Florian