FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX93 encrypted linux

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX93 encrypted linux

‎03-12-2025 04:08 AM
1,178 Views
spawn
Contributor III

Hello,

I enabled secure-boot on my board, the bootloader containers
and linux are signed. The SRK fuses are configured, ahab_status returns
no errror, and auth_cntr successfully authenticate linux and then the
boot command succeed.


Now that I added the rootfs decryption key to the initramfs
that is embedded into the linux-dtb-initramfs container, I need to
encrypt this container.


I added the encryption command "[Install Secret Key] ... " to
the CSF file, signed+encrypted the linux-dtb-initramfs container using
CST, generated the blob on the board using the `dek_blob` command, then
added this 72-bytes blob to the signed+encrypted linux-dtb-initramfs
container to the offset returned by CST.


But now uboot is not happy and returns an error "Error:
ele_verify_image: ret -110, img_id 0, response 0x1". Do you know what is the problem ?

0 Kudos
Reply
2 Replies

‎03-12-2025 08:27 AM
1,160 Views
spawn
Contributor III

After more digging... I does not seem to be possible to use ELE through keyctl. What's left is the possibility to use keyctl with TEE. I will try that.

0 Kudos
Reply

‎03-12-2025 05:03 AM
1,173 Views
spawn
Contributor III

Unless its not possible to encrypt linux ? in which case the rootfs decryption key must not be stored in the initramfs but in ELE through keyctl ?

0 Kudos
Reply