i.MX91 Encrypted boot

Gunashree_MN · ‎04-04-2025

Hi Everyone,

I am trying to implement Encrypted Boot on i.MX 91 processor. I did refer i.MX 91 reference manual, Security reference manual and AHAB document. But I am still not getting the clear flow of it. Can you please guide me on how to implement it. Also, it would be helpful if you share any specific documents to refer the same.

Thanks in advance

i.MX91

Gunashree_MN · ‎04-29-2025

Hi @Bio_TICFSL

Could you please share the memory map or fuse map details(bank, word, etc) for the registers used in encrypted boot, such as the SRK fuses?

Thanks in advance!

Bio_TICFSL · ‎04-04-2025

Hello,

These, going to work:

https://spsdk.readthedocs.io/en/v2.3.0/examples/imx93/imx93_signed_ahab_uboot.html

https://docs.digi.com/resources/documentation/digidocs/embedded/dey/5.0/cc91/yocto-trustfence-secure...

Regards

Gunashree_MN · ‎04-28-2025

Hi @Bio_TICFSL

You had previously suggested using the SPSDK tool for key generation, signing, and encryption.

Could you please clarify the difference between implementing encrypted boot using the SPSDK tool versus the CST tool?
Is there a specific reason why you recommended SPSDK?

Thanks in advance!

#iMX91

Gunashree_MN · ‎04-16-2025

Hi @Bio_TICFSL,

Thanks for sharing inputs. Those are helpful.

I want one more clarification regarding encrypted boot of i.MX 91.

I have installed SPSDK tool for key generation, signing and encryption.
I have generated SRK's using below command

spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key0.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key1.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key2.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key3.pem

Certificate is generated using below commands

spsdk nxpcrypto cert get-template -o srk_template.yaml
spsdk nxpcrypto cert generate -c srk_template.yaml -o srk_output

My next step is to generate DEK and it's blob

Can you please give inputs on how do I generate DEK and it's bolb.

Thanks in advance

#IMX91

Gunashree_MN · ‎04-21-2025

Hi @Bio_TICFSL,

I am currently working on implementing secure encrypted boot for the i.MX91. Could you please guide me on how to generate the DEK (Data Encryption Key) and the corresponding DEK blob?

Your help would be greatly appreciated, and I look forward to your response.

Best regards,

Bio_TICFSL · ‎04-21-2025

Hello,

HSM services are accessed by using the EdgeLock Enclave Hardware Security Module API and provide security features to various kinds of applications, you can find the user space library here: GitHub - nxp-imx/imx-secure-enclave at lf-6.1.55_2.2.0

For OTFAD, the key used to perform the wrap and unwrap operations is known as the key encryption key(KEK). There are two kinds of OTFAD KEK, 1, Use fuse OTFAD_KEY, also the OTFAD_KEY_SCRAMBLE is optional which will scramble the master key that is used to wrap and unwrap the blobs.

Regards

Gunashree_MN · ‎04-23-2025

Hi @Bio_TICFSL

Can you please confirm that I am in a correct path in achieving the encrypted boot of i.MX91.

Key generation:

I have installed SPSDK tool for key generation, signing.
I have generated SRK's using below command

spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key0.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key1.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key2.pem
spsdk nxpcrypto key generate -k secp256r1 -o srk_keys/srk_key3.pem

Next, i want to generate DEK and DEK blob for encryption.

DEK key is generated randomly.

For generating DEK_blob, I am using i.MX91 EVK.

EVK with boot mode is connected to host PC where i keys are generated using SPSDK tool.

Board is detected in COM5 and used below command to generate DEK blob. I confirmed this through device manager.

nxpele --family mimx9131 --port COM5 generate-keyblob DEK --key dek.bin --output dek_blob.bin --key-size 256 --algorithm AES_CBC --key-id 0

But, i am facing below error.
Error: SPSDKConnectionError: SPSDK: Failed to open serial port COM5

So, I have stuck at this point. Can you please guide me if I am in a right way? and How do I fix this error.

Thanks in Advance.

Gunashree_MN · ‎05-09-2025

Hi @Bio_TICFSL

I have successfully fused the SRK hash key on my device, and Secure Boot is working as expected. However, I am currently facing issues enabling Encrypted Boot.

I followed the procedure outlined in the following guide:
https://github.com/nxp-imx/uboot-imx/blob/lf_v2024.04/doc/imx/ahab/guides/mx8ulp_9x_encrypted_boot.t...

Below is a summary of the steps I followed in addition to Secure Boot:

Generated DEK keys using openssl.
Created DEK blobs as described in Section 1.7: Generating the DEK Blob.
Encrypted the 2nd container using DEK_2.
Encrypted the 3rd container using DEK_3.
Inserted the generated DEK blobs into the encrypted-flash.bin file (generated after encrypting the 3rd container).
Signed the kernel image by following the guide at: https://github.com/nxp-imx/uboot-imx/blob/lf_v2024.04/doc/imx/ahab/guides/sign_os_cntr.txt guide.
Programmed the SRK hash fuses to the device.
Copied encrypted-flash.bin into the UUU tool and renamed it to flash.bin.
Copied os_cntr_signed.bin to the UUU tool and updated the script as below:
FBK: ucp Linux/Image t:/mnt/fat
FBK: ucp Linux/os_cntr_signed.bin t:/mnt/fat
Flashed the device using the updated UUU script.

Issue: After flashing, device is not booting

Could you kindly help me identify what might be going wrong and share your suggestions or guidance on this issue.

Gunashree_MN · ‎05-13-2025

Hi @JorgeCas ,

Can you please help me with this.

Thanks in advance.