- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Cloud Lab Forums
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Knowledge Bases
- ARM Microcontrollers
- Identification and Security
- i.MX Processors
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- CodeWarrior
- Wireless Connectivity
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: i.MX8 encrypted U-Boot (and Linux kernel) in mass production
i.MX8 encrypted U-Boot (and Linux kernel) in mass production
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
i.MX8 encrypted U-Boot (and Linux kernel) in mass production
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have set up our Yocto build process to produce a signed U-Boot and a signed Linux kernel. We've done this by preparing the CSF (Command Sequence File) and passing it along with the images to the CST (Code Signing Tool).
We now want to create an encrypted U-Boot image and an encrypted Linux kernel image. We've read:
- Encrypted Boot on HABv4 and CAAM Enabled Devices
- i.MX Secure Boot on HABv4 Supported Devices
- From the U-Boot source: encrypted_boot.txt and mx8m_encrypted_boot.txt
So my understanding is we need to do the following:
- Create a signed U-Boot image
- Flash the signed U-Boot image onto the target
- Create an encrypted and signed SPL image
- Create an encrypted and signed FIT image
- Copy the encrypted and signed SPL and FIT images onto the target
- Create the SPL DEK blob and the FIT DEK blob
- Copy the SPL DEK blob and the FIT DEK blob off the target and back onto the build host
- Assemble the final encrypted U-Boot image
- Flash the target a second time, this time using the encrypted U-Boot image
- Now the target will boot, decrypt and verify the U-Boot image
My question is about how this could/should be implemented as a mass production process. Normally during our production manufacturing steps, we would flash a prepared image and then test that the target hardware is functional (among other steps). To achieve an encrypted U-Boot and Linux kernel it would appear that we are going to have a much more sophisticated process where images/files are copied to and from the target and the target needs to be flashed more than once. This is going to make our production manufacturing process more complicated and take longer.
My questions are:
- Is my understanding of the process to get an encrypted U-Boot correct?
- Is my understanding correct that step 6 must be done on each target because each target will create a unique DEK blob?
- Is there an alternative to the process that I've described? One where an image can be prepared ahead of production manufacturing time.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Nocker
- Is my understanding of the process to get an encrypted U-Boot correct?
The process seems no problem, just be sure that the blob can be generated based on the closed device.
The step 7, Please pay more attention to the process of copying both blobs.
2. Is my understanding correct that step 6 must be done on each target because each target will create a unique DEK blob?
That is correct, if the device closed.
To other questions, I'm getting confirmation, please bear with some time.
Best regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is anyone from NXP able to advise if I'm on the right track? Thanks.
