I am investigating security configurations for the i.MX8 ULP. I have secure boot working and am working on implementing encrypted boot using a dek_blob.
I have a high-level question. My understanding is that the dek_blob is encrypted with the OTPMK - One Time Programmable Master Key which is unique to the device. That would mean I would need a dek_blob for each device and separately encrypt updates for each device.
Let's say I have 5,000 devices distributed geographically. It seems onerous to encrypt 5,000 separate updates and deliver them each to the right device.
My question is, "How is this typically accomplished?" I have a couple of ideas how it might be accomplished, but I'd like to understand if there is a commonly accepted way.
These are the ways I have been considering:
- Burn a shared AES (OEM KEK) into fuses (I think it is fuse bank 6. Please confirm if you know)
- encrypt a shared key with an SRK key and deliver it in a container, create a key_blob and use keyctl to store it in a keychain.
Please provide guidance on a good practice.
