Trying to use encrypted secure boot. All works, but I want to be able to generate a DEK blob while sitting at the Linux command prompt on the device itself. I understand that I am able to burn fuses and lock the processor using OCOTP sysfs capability but also want this to actually generate a DEK blob by writing a chosen dek.bin to a sysfs file and reading back a DEK blob from that or another sysfs file.
I know this is possible because I was able to do it before but forgot how since then. I remember there was a specific patch that was needed for the kernel in order to do this. I have been unable to find this anywhere. I know there are a couple of different patches out there but they generate a more general blob than the specific DEK blob that I need that has a "81" header, etc. I basically want to duplicate the exact code functionality done by uboot dek_blob command but in the Linux kernel accessible by user space on the command line.
Any help would be most appreciated. Thanks in advance,
Thank you for the reply. Are you talking about the PRIBLOB? If so, page 20 in that document says:
To enable the command used to set this bitfield in U-Boot, the U-Boot must be built with a custom KConfig.
That application note only talks about U-Boot Kconfig, I don't see anything that has anything to do with the kernel or user space. And "after booting" process, do you mean in the UBoot prompt or after the entire target has booted to Linux command prompt?
Also, I don't want to "change" the DEK blob, I want to generate a new one from the dek.bin and do it on the Linux command line using the sysfs API.
Encrypted Boot on HABv4 and CAAM Enabled Devices AN is posted here AN12056. In this Application Note we explained the changes that need to be done in the Kconfig in order to change the DEK file after booting process.