I've follow the document AN4581/AN12056 try to build a encrypted and signed u-boot image for i.MX7D board.
The signed image (AN4581) is completed and work fine, but encrypted image (AN12056) don't work.
The device is closed by program SEC_CONFIG[1] fuse and can boot form a correct signed image, next I try to build a encrypted and signed u-boot image by follow the procedure in document AN12056 but failed.
The image can't boot device, and console print nothing.
The detailed steps as follow:
- Done the procedure in AN4581 and boot the device with signed u-boot.
- Compile the CST to enable the encrypting feature.
- Modify file "csf_u-boot_enc.txt" and "csf_u-boot_sign_enc.txt".
- Encrypt the U-Boot image.
- $ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin
- Sign the encrypted U-Boot image.
- $ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin
- Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin.
- $ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36
- $ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36
- Generate encryptedu-boot with no dek.
- $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff csf_u-boot_sign_enc.bin csf_u-boot_sign_enc.bin.pad
- $ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc.bin.pad > u-boot_encrypted_no_dek.bin
- $ objcopy -I binary -O binary --pad-to 0x95c00 --gap-fill=0x00 u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin
- Generate the DEK Blob.
- $ cp dek.bin /mnt/mmc
- boot device by sd card and into u-boot CLI.
- => fatload mmc 0 0x80800000 dek.bin; dek_blob 0x80800000 0x80801000 128; fatwrite mmc 0 0x80801000 dek_blob.bin 0x48
- Finalize the encrypted U-Boot image.
- $ cp /mnt/mmc/dek_blob.bin ./
- cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin
sudo dd if=u-boot_encrypted.bin of=/dev/sdc bs=512 seek=2 conv=fsync
- Boot device and nothing show on console.
I have no idea about how to debug it due to I can't to trace ROM code or download the HAB log. Any suggestion?
