FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

generate DEK blob from user space command line?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

generate DEK blob from user space command line?

‎06-15-2020 02:46 PM
2,736 Views
colbyaconklin
Contributor I

Trying to use encrypted secure boot. All works, but I want to be able to generate a DEK blob while sitting at the Linux command prompt on the device itself. I understand that I am able to burn fuses and lock the processor using OCOTP sysfs capability but also want this to actually generate a DEK blob by writing a chosen dek.bin to a sysfs file and reading back a DEK blob from that or another sysfs file.

I know this is possible because I was able to do it before but forgot how since then. I remember there was a specific patch that was needed for the kernel in order to do this. I have been unable to find this anywhere. I know there are a couple of different patches out there but they generate a more general blob than the specific DEK blob that I need that has a "81" header, etc. I basically want to duplicate the exact code functionality done by uboot dek_blob command but in the Linux kernel accessible by user space on the command line.

Any help would be most appreciated. Thanks in advance,

Tags (1)
0 Kudos
Reply
3 Replies

‎06-22-2020 01:39 PM
2,632 Views
colbyaconklin
Contributor I

Thank you for the reply. Are you talking about the PRIBLOB? If so, page 20 in that document says:
To enable the command used to set this bitfield in U-Boot, the U-Boot must be built with a custom KConfig.
That application note only talks about U-Boot Kconfig, I don't see anything that has anything to do with the kernel or user space. And "after booting" process, do you mean in the UBoot prompt or after the entire target has booted to Linux command prompt?

Also, I don't want to "change" the DEK blob, I want to generate a new one from the dek.bin and do it on the Linux command line using the sysfs API.

Anybody?

0 Kudos
Reply

‎10-26-2022 12:08 AM
2,141 Views
Nocker
Contributor II

Hi, did you figure out a procedure for this?  I would also like to do this.  Is there a guide that you can direct me to?

0 Kudos
Reply

‎06-19-2020 11:39 AM
2,632 Views
jamesbone
NXP TechSupport
NXP TechSupport

Encrypted Boot on HABv4 and CAAM Enabled Devices AN is posted here AN12056.  In this Application Note we explained the changes that need to be done in the Kconfig in order to change the DEK file after booting process.

0 Kudos
Reply