iMX6 ull encrypted boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX6 ull encrypted boot

Jump to solution
1,377 Views
CarlosFG
Contributor II

I'm trying to enable encrypted boot in iMX6 ULL EVK. According to IMX6ULLRM and IMX6ULLSRM this should be possible. One of the steps to get encrypted boot work is generate a "dek blob" [1][2] inside the processor. In order to do that, there is a u-boot command named "dek_blob" that uses the CAAM [1][3][4]. I couldn't get his command work, It fails at this point in a function named caam_page_alloc() which is always called with the same parameters: caam_page_alloc(1, 1), this means it fails regardless of how I use the dek_blob command. I also tried to use the CAAM Linux drivers unsuccessfully. Later I found in a couple of sites the CAAM is not available in iMX6ULL [5][6]

So my question is ¿How can I encapsulate a DEK and obtain a dek blob in the iMX6ULL?

  1. Code-signing Tool User's Guide
  2. AN12056
  3. U-boot introduction to HABv4
  4. U-boot encrypted boot
  5. https://community.nxp.com/t5/i-MX-Processors/Signed-and-encrypted-boot-in-i-MX6UL/m-p/466447/highlig...
  6. https://patchwork.kernel.org/project/linux-arm-kernel/patch/1523739330-27363-1-git-send-email-festev...
Labels (2)
0 Kudos
1 Solution
1,350 Views
igorpadykov
NXP Employee
NXP Employee

Hi CarlosFG

 

unfortunately i.MX6ULL does not support encrypted boot.

 

Best regards
igor

View solution in original post

0 Kudos
4 Replies
1,351 Views
igorpadykov
NXP Employee
NXP Employee

Hi CarlosFG

 

unfortunately i.MX6ULL does not support encrypted boot.

 

Best regards
igor

0 Kudos
1,316 Views
CarlosFG
Contributor II

Thanks you very much igorpadykov.

The Applications Processor Reference Manual for this device (IMX6ULLRM) says the encrypted boot is supported. I humbly suggest to amend it in order to avoid other engineers waste their time trying to make it work.

CarlosFG_0-1612770985948.png

 

0 Kudos
1,282 Views
igorpadykov
NXP Employee
NXP Employee
 

Hi CarlosFG

 

in theory it can be supported, but in practice NXP software implementation currently

supports only CAAM based options.

 

Best regards
igor

0 Kudos
646 Views
mprt
Contributor I

Is there any update on this matter?

You wrote that there is currently only the CAAM based implementation.

I hope there's a way to implement encrypted boot using the various keys. Unfortunately, I don't have access to the SRM.

0 Kudos