iMX6 ull encrypted boot

CarlosFG · ‎02-05-2021

I'm trying to enable encrypted boot in iMX6 ULL EVK. According to IMX6ULLRM and IMX6ULLSRM this should be possible. One of the steps to get encrypted boot work is generate a "dek blob" [1][2] inside the processor. In order to do that, there is a u-boot command named "dek_blob" that uses the CAAM [1][3][4]. I couldn't get his command work, It fails at this point in a function named caam_page_alloc() which is always called with the same parameters: caam_page_alloc(1, 1), this means it fails regardless of how I use the dek_blob command. I also tried to use the CAAM Linux drivers unsuccessfully. Later I found in a couple of sites the CAAM is not available in iMX6ULL [5][6]

So my question is ¿How can I encapsulate a DEK and obtain a dek blob in the iMX6ULL?

igorpadykov · ‎02-06-2021

Hi CarlosFG

unfortunately i.MX6ULL does not support encrypted boot.

Best regards
igor

View solution in original post

igorpadykov · ‎02-06-2021

Hi CarlosFG

unfortunately i.MX6ULL does not support encrypted boot.

Best regards
igor

CarlosFG · ‎02-08-2021

Thanks you very much igorpadykov.

The Applications Processor Reference Manual for this device (IMX6ULLRM) says the encrypted boot is supported. I humbly suggest to amend it in order to avoid other engineers waste their time trying to make it work.

igorpadykov · ‎02-08-2021

Hi CarlosFG

in theory it can be supported, but in practice NXP software implementation currently

supports only CAAM based options.

Best regards
igor

mprt · ‎03-03-2023

Is there any update on this matter?

You wrote that there is currently only the CAAM based implementation.

I hope there's a way to implement encrypted boot using the various keys. Unfortunately, I don't have access to the SRM.

iMX6 ull encrypted boot

iMX6 ull encrypted boot

i.MX6 All

Security