FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Signing rootfs using cst for Secure boot on iMX8MP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signing rootfs using cst for Secure boot on iMX8MP

‎11-30-2023 12:23 AM
3,159 Views
gaurav_bankar
Contributor II

Hello, 

   I am trying to secure boot my custom iM8MP soc board. I have already secured uboot and kernel following the various documents provided. But I am having trouble extending the root of trust to rootfs. I am using wic file for kernel and rootfs. The filesystem type for rootfs is ext4. 

  Can I get the procedure to sign rootfs using csf and cst? Thank you. 

0 Kudos
Reply
3 Replies

‎12-01-2023 05:20 AM
2,998 Views
Torylyrs
Contributor II

Securing the rootfs on your custom iM8MP SOC board involves creating a CSF file with commands to authenticate the rootfs, signing it using CST with your private key, and configuring your bootloader to use this signed CSF for authentication during the boot process. Ensure that the public key corresponding to your private key is properly embedded in your SOC's ROM or fused into the device during manufacturing.

0 Kudos
Reply

‎12-01-2023 02:21 AM
3,139 Views
Harvey021
NXP TechSupport
NXP TechSupport

I'd recommend i.MX Encrypted Storage Using CAAM Secure Keys (nxp.com)

 

Regards

Harvey

0 Kudos
Reply

‎12-14-2023 11:48 PM
2,929 Views
gaurav_bankar
Contributor II

Hello @Harvey021 , 

    I am following your suggestion of using i.MX Encrypted Storage Using CAAM Secure Keys, rev 2. 

I am following the document and made the necessary changes in the defconfig file to include CAAM and DM-crypt 

# Enable DM-Crypt and its dependencies
CONFIG_BLK_DEV_DM=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD=y
CONFIG_DM_CRYPT=y
CONFIG_DM_MULTIPATH=y
# Enable CAAM black key/blob driver and its dependencies (this is enabled, by default)
CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API=y

I have also added 

CONFIG_CRYPTO=y

I have made a build with the suggestions made in the document.

According to section 3.2 of AN12714 rev 2 the first point to make sure that cryptographic transformations using Tagged Key are registered. I am not able to see the tagged key in my build. 

I do not get any response to this command : cat /proc/crypto | grep -B1 -A2 tk

I am attaching my defconfig for your reference. 

Also the document explains about creating a secure volume through image file and then mounting it. But how can I secure an already mounted volume. I want my partitions to be already encrypted before the mounting process during device startup. How can I achieve it ? 

Preview file
21 KB
0 Kudos
Reply