I am trying to completely secure boot on i.MX6UL (provide encrypted nad signed u-boot (boot loader second stage) image).
Signing is working. The SPL is authenticate and hab_status do not report any events.
To sign and encrypt SPL (without IVT and DCD and Boot data) I use following CSF file:
Version = 4.2
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
Verification index = 0
Target Index = 2
Verification index = 2
Blocks = 0x00907400 0x00000000 0x00008c00 "./SPL"
#0x00907400 - start of area in RAM to be authenticate
#0x00000000 - start of area in SPL to sign
#0x00008c00 - size of area in SPL to sign (include IVT and DCD)
If the CSF file ends here the signing is working
#Encrypt the boot image and create a DEK
[Install Secret Key]
Verification Index = 0
#Master KEK index - 0 = OTPMK fuses
Target Index = 2
Key = "./dek.bin"
Key Length = 192
Blob Address = 0x00911fb0
How to calculate this blob address?
Verification Index = 2
Mac Bytes = 16
#The CST encrypts only image data of SPL.
Blocks = 0x00907400 0x1174 0x7a8c "./SPL"
What should contain Blocks?
When the CSF file ends here the evk do not boot from sd card.
Next step (in theory) is to boot signed image + DEK and run dek_blob 0x82000000 0x83000000 192 to generate dek blob.
If I run above command in u-boot which is only signed I get:
Encapsulating provided DEK to form blob 0x82000000
Error in SEC deq
Error in Encapsulation -1
Command failed, result=-1
I think that in section [Install Secret Key] and [Decrypt Data] Block address and Block could be incorrect.
What is the structure of signed and encrypted image? (IVT, Boot data, DCD, u-boot, HAB data, DEK). What are the offsets of each parts in SPL?
Does anyone had run signed and encrypted SPL on i.MX6UL?