I am trying to get encrypted boot to work on an i.MX6. The sample command line (from Security Features of i.MX Applications Processors) to sign/encrypt an image for use with encrypted boot goes:
./cst -o csf.bin -c ./dek_rsa_key_crt.pem < u-boot_enc.csf
Can anybody tell me what the parameter "-c ./dek_rsa_key_crt.pem" does?
I assumed that it is used to protect the DEK for transport to the place where it is encrypted into a DEK blob on the target but then wondered:
- How can the target decrypt the DEK to re-encrypt it with the OTPMK?
- How do I generate the dek_rsa_key_crt.pem?