My question keeps getting marked as spam for some reason.
I'm trying to understand best practice for securely updating a large number (thousands) of devices based on the i.MX8 ULP in the field.
I would like to encrypt the updates, but don't want to use separate key_blobs for every device.
Will either of these strategies work?
- burn a shared key to fuses (I think this would be fuse bank 6 on the imx8ulp. Please confirm)
- deliver a shared key to the devices that is encrypted with a SRK and install it in the kernel key ring with keyctl
How is this usually accomplished at scale?
