iMX6Q Encrypted Boot: Key Generation & Blob Creation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX6Q Encrypted Boot: Key Generation & Blob Creation

Jump to solution
1,912 Views
satyadamarla
Contributor III

Hello Guys,

An explanation of encrypted boot in the document of CST tool is as follows:

The encrypted boot case is very similar to generating signed images, but there are two main differences. The first is that the binary image is both decrypted and authenticated using a symmetric key rather than signed using a private asymmetric key. The second is the CST generates a one-time AES Data Encryption Key (DEK) which is used to encrypt the image.

A cryptographic blob of the DEK must be created during the OEM manufacturing stages on each processor and then attached to the image on the boot device. The reason for this is the DEK blob is created using the device unique key embedded into the Freescale processor which is only readable by the on-chip encryption engine. The DEK is common to all ICs using the same encrypted image but the DEK blob is unique per IC.

  1. I assume that it's the bootloader+signature file that is encrypted with DEK. Am I right?
  2. CST genrates the DEK. None is generated nor any script exists. Can you please guide me where exactly its done or one should use openssl seperately to generate the key?
  3. AES mode: Is it AES-CCM mode?
  4. DEK Blob: How to create it?

Thanks & Greets,

Satya

Labels (2)
0 Kudos
1 Solution
1,022 Views
Yuri
NXP Employee
NXP Employee

Hello,

   I hope the following helps

Encrypted U-boot Example

Regards,

Yuri.

View solution in original post

0 Kudos
3 Replies
1,022 Views
b36401
NXP Employee
NXP Employee

Please refer chapter 4.11 "High Assurance Boot" of  Security Reference Manual for i.MX6 Families of Applications Processors.

Have a great day,

Victor

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

-----------------------------------------------------------------------------------------------------------------------

0 Kudos
1,022 Views
satyadamarla
Contributor III

Hello Victor,

Thank you for the reply. I am sorry to say some of my questions remain unaswered. For example:

  1. DEK is generated by CST. My  cst-2.3.2. doesn't generate one. Of course I can generate using openssl but as the information on the document suggests (or internet), it's contrary to my trails.

    2. I think I found a way of to generate the blob, actually a patch: [U-Boot] [PATCH] imx6: Added DEK blob generator command

        I haven't tried but hope it works. I can only try it after I have clarity about the above step.

Greets,

Satya

0 Kudos
1,023 Views
Yuri
NXP Employee
NXP Employee

Hello,

   I hope the following helps

Encrypted U-boot Example

Regards,

Yuri.

0 Kudos