after reading the reference manual chapters 12, 13 and 20 (Boot Modes, DCP and OCOTP) I'm still unsure how an encrypted and signed boot process would be set up.
My idea is that I have a uImage of the Linux Kernel. Signing that with the Freescale code signing tool will generate a HAB.ELF file. Then 'elftosb' takes HAB.ELF and uImage as input and produces a SB file which represents a signed boot stream.
If this image is flashed and the HAB_CONFIG OTP bits are set to HAB_CLOSED the CPU will boot this image resp. fail to do so if the image in flash is not signed (of course the SRK OTP has to be programmed too).
Is this correct so far?
So, on the next step I programm the CRYPTO_KEY OTP and use the DCP to encrypt my image with CRYPTO_KEY. Now I have an encrypted image, but how do I tell the boot ROM that the image is encrypted and not just garbage?
Can someone enlighten me?