IMX6ULLSRM.pdf, page 162, 5.3.2.2 AES OTP key
The DCP receives a 64-bit UNIQUE KEY and a 128-bit CRYPTO KEY.
...
To use the OTP key, the descriptor packet must set the OTP_KEY field in the Control1
register (see Control1 field).
- As the UNIQUE_KEY is only 64-bit, it is not useful for AES-128 operation, right?
IMX6ULLSRM.pdf, page 165, 5.3.4 One-Time Programmable (OTP) key
The OTP key (CRYPTO KEY) can be selected using the DCP_Control1[OTP_KEY] bit
in the control field of the packet descriptor or by using the key select 0xFF in the CTRL1
field of the descriptor. The DCP also supports a second hardware key called the UNIQUE
KEY which is generated from the OTP KEY and the key modifier bits from other OTP
fuse fields. This key is unique to the device and can be used to encrypt the private data
stored on the NAND. This key can be selected by writing 0xFE to the KEY_SELECT
field in the CTRL1 packet data.
- Does the UNIQUE_KEY contain real entropy, or is it directly created from the UNIQUE_ID fuses?
- What are the applications for using UNIQUE_KEY instead of CRYPTO_KEY?
- How do I select UNIQUE_KEY. Do I only have to select 0xFE for KEY_SELECT, or do I also need to set DCP_Control1[OTP_KEY]? Can you fill the table for me:
| Key | DCP_CONTROL1[OTP_KEY] | KEY_SELECT |
|---|
| CRYPTO_KEY | | |
| UNIQUE_KEY | | |
