AnsweredAssumed Answered

HABv4 encryption with 4096-bit keys

Question asked by Gary Bisson on Oct 20, 2016
Latest reply on Nov 29, 2016 by Gary Bisson

Hi,

 

I've written an article on how to use HABv4 on i.MX6/i.MX7  to sign and encrypt your bootloader.

https://boundarydevices.com/high-assurance-boot-hab-dummies/ 

 

During my testing, I've used 4096-bit keys and everything was working fine in open mode, no HAB events. However when I closed the device it wasn't booting!

 

I reported the issue here already with no answer:

https://community.nxp.com/docs/DOC-330622#comment-37543 

 

In order to boot the board with a signed bootloader I've had to add a 'Engine = CAAM' line although it was working fine in open mode with no HAB events reported! I think this should be documented somewhere.

 

However I couldn't get encryption to work, although, once again, it was working in open mode.

 

So my question: have 4096-bit keys been tested with encryption on close devices?

 

Looking at the HABCST_UG.pdf, it seems that a configuration for 4096 keys is provided (section 5.3.5):

  • It doesn't have the [UNLOCK] section
    • Does this configuration force to set the RNG Trim in Fuse?
  • It is providing the .der files instead of the .pem files, is it normal?


Please advise.

Regards,
Gary

Outcomes