i.MX8 encrypted U-Boot (and Linux kernel) in mass production

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX8 encrypted U-Boot (and Linux kernel) in mass production

877 Views
Nocker
Contributor II

Hi,

We have set up our Yocto build process to produce a signed U-Boot and a signed Linux kernel.  We've done this by preparing the CSF (Command Sequence File) and passing it along with the images to the CST (Code Signing Tool).

We now want to create an encrypted U-Boot image and an encrypted Linux kernel image.  We've read:

  • Encrypted Boot on HABv4 and CAAM Enabled Devices
  • i.MX Secure Boot on HABv4 Supported Devices
  • From the U-Boot source: encrypted_boot.txt and mx8m_encrypted_boot.txt


So my understanding is we need to do the following:

  1. Create a signed U-Boot image
  2. Flash the signed U-Boot image onto the target
  3. Create an encrypted and signed SPL image
  4. Create an encrypted and signed FIT image
  5. Copy the encrypted and signed SPL and FIT images onto the target
  6. Create the SPL DEK blob and the FIT DEK blob
  7. Copy the SPL DEK blob and the FIT DEK blob off the target and back onto the build host
  8. Assemble the final encrypted U-Boot image
  9. Flash the target a second time, this time using the encrypted U-Boot image
  10. Now the target will boot, decrypt and verify the U-Boot image

My question is about how this could/should be implemented as a mass production process.  Normally during our production manufacturing steps, we would flash a prepared image and then test that the target hardware is functional (among other steps).  To achieve an encrypted U-Boot and Linux kernel it would appear that we are going to have a much more sophisticated process where images/files are copied to and from the target and the target needs to be flashed more than once.  This is going to make our production manufacturing process more complicated and take longer.

My questions are:

  1. Is my understanding of the process to get an encrypted U-Boot correct?
  2. Is my understanding correct that step 6 must be done on each target because each target will create a unique DEK blob?
  3. Is there an alternative to the process that I've described?  One where an image can be prepared ahead of production manufacturing time.
0 Kudos
2 Replies

845 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Nocker 

  1. Is my understanding of the process to get an encrypted U-Boot correct?

        The process seems no problem, just be sure that the blob can be generated based on the closed device.

         The step 7, Please pay more attention to the process of copying both blobs.

       2. Is my understanding correct that step 6 must be done on each target because each target will create a unique DEK blob?

           That is correct, if the device closed.

To other questions, I'm getting confirmation, please bear with some time.

 

Best regards

Harvey

851 Views
Nocker
Contributor II

Is anyone from NXP able to advise if I'm on the right track?  Thanks.

0 Kudos