帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Running encrypted image on i.mx6

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Running encrypted image on i.mx6

跳至解决方案
‎03-24-2014 03:03 AM
2,173 次查看
vadimlomovtsev
Contributor II

Let's say we have encrypted image which have to be loaded and run at the i.MX6-based board. Image was created and encrypted at some build-server.

According to documentation it is possible to decrypt it using CAAM module but we need to specify keys to decrypt our image in some way.

The question is - how we could store keys for image decryption at the board (e.g. decryption could be made by u-boot)?

Is it possible to use OTPMK fuse block for storing keys (which is quite small)? Or there is another solution to handle such scenarios?

Also it is said that in order to run HAB authentication we need to burn some values onto OTPMK fuses block, would it be critical if we try to store our secret keys there?

标签 (6)
标记 (2)
回复
1 解答

跳至解决方案
‎03-25-2014 12:07 AM
1,404 次查看
Yuri
NXP Employee
NXP Employee

The following thread provides some information about CAAM using

for application encryption / decryption. 

https://community.freescale.com/message/362564#362564

As for OTPMK, please refer to i.MX6 Security Reference Manual.

Note, the OTPMK is factory burned. This means blobs MUST be generated on the i.MX6 :

the blob is the DEK (Data Encryption Key) encrypted with the OTP Master Key (programmed

in fuses on the i.MX6).

  So, Your requirement to use own key to encrypt an image on an external server and decrypt

it on the i.MX6 is not supported.


在原帖中查看解决方案

0 项奖励
回复
1 回复

跳至解决方案
‎03-25-2014 12:07 AM
1,405 次查看
Yuri
NXP Employee
NXP Employee

The following thread provides some information about CAAM using

for application encryption / decryption. 

https://community.freescale.com/message/362564#362564

As for OTPMK, please refer to i.MX6 Security Reference Manual.

Note, the OTPMK is factory burned. This means blobs MUST be generated on the i.MX6 :

the blob is the DEK (Data Encryption Key) encrypted with the OTP Master Key (programmed

in fuses on the i.MX6).

  So, Your requirement to use own key to encrypt an image on an external server and decrypt

it on the i.MX6 is not supported.


0 项奖励
回复