I've written an article on how to use HABv4 on i.MX6/i.MX7 to sign and encrypt your bootloader.
During my testing, I've used 4096-bit keys and everything was working fine in open mode, no HAB events. However when I closed the device it wasn't booting!
I reported the issue here already with no answer:
In order to boot the board with a signed bootloader I've had to add a 'Engine = CAAM' line although it was working fine in open mode with no HAB events reported! I think this should be documented somewhere.
However I couldn't get encryption to work, although, once again, it was working in open mode.
So my question: have 4096-bit keys been tested with encryption on close devices?
Looking at the HABCST_UG.pdf, it seems that a configuration for 4096 keys is provided (section 5.3.5):
- It doesn't have the [UNLOCK] section
- Does this configuration force to set the RNG Trim in Fuse?
- It is providing the .der files instead of the .pem files, is it normal?