AnsweredAssumed Answered

iMX6Q Encrypted Boot: Key Generation & Blob Creation

Question asked by satyadamarla on Jun 28, 2016
Latest reply on Jun 29, 2016 by Yuri Muhin

Hello Guys,


An explanation of encrypted boot in the document of CST tool is as follows:


The encrypted boot case is very similar to generating signed images, but there are two main differences. The first is that the binary image is both decrypted and authenticated using a symmetric key rather than signed using a private asymmetric key. The second is the CST generates a one-time AES Data Encryption Key (DEK) which is used to encrypt the image.


A cryptographic blob of the DEK must be created during the OEM manufacturing stages on each processor and then attached to the image on the boot device. The reason for this is the DEK blob is created using the device unique key embedded into the Freescale processor which is only readable by the on-chip encryption engine. The DEK is common to all ICs using the same encrypted image but the DEK blob is unique per IC.


  1. I assume that it's the bootloader+signature file that is encrypted with DEK. Am I right?
  2. CST genrates the DEK. None is generated nor any script exists. Can you please guide me where exactly its done or one should use openssl seperately to generate the key?
  3. AES mode: Is it AES-CCM mode?
  4. DEK Blob: How to create it?


Thanks & Greets,