AnsweredAssumed Answered

imx6 secure boot with encryption

Question asked by Frieder Baumgratz on Oct 27, 2016
Latest reply on Nov 16, 2016 by Frieder Baumgratz

Dear NXP community,

 

I have a board with an imx6 processor set in closed configuration (for secure boot).

 

Signing an image (or more) works perfectly fine.

 

Now I want to encrypt an image. That's where all the trouble begins.

 

First of all, I have to mention, that I don't want to encrypt the first image loaded after the ROM boot loader, but that shouldn't be a problem (or am I wrong?).

 

In order to use the encryption with the Code Signing Tool provided by nxp, I linked the tool with following commands:

 

cd ~/cst-2.3.2

gcc -o cst_encrypt -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto

 

There were no errors reported.

 

Now the tool is able to encrypt my image.

 

After this I created a command sequence file with following content:

 

----- Beginn file.csf -----

 

[Header]
    Version = 4.1
    Hash Algorithm = sha256
    Certificate Format = X509
    Signature Format = CMS
    Engine = ANY
    Engine Configuration = 0
[Install SRK]
    File = "./crts/SRK_Table.bin"
    Source index = 0
[Install CSFK]
    File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
    Engine = CAAM
    Features = RNG
[Install Key]
    File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
    Verification index = 0
    Target index = 2
[Authenticate Data]
    Verification index = 2
     Blocks =  0x10100000 0x0 0x1000 "image_to_be_encrypted"
[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "dek.bin"
    Key Length = 256
    Blob address = 0x1017FFA0
[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 0x10101000 0x1000 0xF000 "image_to_be_encrypted"

 

----- end file.csf -----

 

Now I am running:

 

./linux64/cst_encrypt --o encrypted.bin --i file.csf --cert ./crts/dek_protection_key.pem

 

The output is my signed and encrypted image. After this, I transfer the generated dek.bin to the imx6 board and create the key using the dek_blob function provided by uboot.

 

This output is attached to the image at the address 0x1017FFA0 and then padded to 0x80000.

 

When I transfer the image to my board, I have a little check function which checks whether the image is signed or not.

 

For this function I use the HAB function hab_status_t(* hab_rvt::run_csf)(const uint8_t *csf, uint8_t cid).

 

Using this function, I get no errors, but when I want to save the image I get this HAB event:

 

HAB Configuration: 0xcc HAB State: 0x99

---------- HAB EVENT 1 ----------
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x1d
0xca 0x00 0x14 0x00 0x00 0xa3 0x00 0x00
0x00 0x00 0x0f 0x64 0x10 0x10 0x10 0x00
0x00 0x00 0xf0 0x00

 

I am pretty lost right now, I don't have any more ideas what I can do.

 

The image has a length of 0x80000 and is loaded to 0x10100000 in the boards RAM.

 

I have to mention, everything works smootly when I only use signed images.

 

I hope someone can help me.

 

Best wishes,

 

Frieder

Outcomes