AnsweredAssumed Answered

imx6 secure boot with encryption

Question asked by Frieder Baumgratz on Oct 27, 2016
Latest reply on Nov 16, 2016 by Frieder Baumgratz

Dear NXP community,


I have a board with an imx6 processor set in closed configuration (for secure boot).


Signing an image (or more) works perfectly fine.


Now I want to encrypt an image. That's where all the trouble begins.


First of all, I have to mention, that I don't want to encrypt the first image loaded after the ROM boot loader, but that shouldn't be a problem (or am I wrong?).


In order to use the encryption with the Code Signing Tool provided by nxp, I linked the tool with following commands:


cd ~/cst-2.3.2

gcc -o cst_encrypt -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto


There were no errors reported.


Now the tool is able to encrypt my image.


After this I created a command sequence file with following content:


----- Beginn file.csf -----


    Version = 4.1
    Hash Algorithm = sha256
    Certificate Format = X509
    Signature Format = CMS
    Engine = ANY
    Engine Configuration = 0
[Install SRK]
    File = "./crts/SRK_Table.bin"
    Source index = 0
[Install CSFK]
    File = "./crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
    Engine = CAAM
    Features = RNG
[Install Key]
    File = "./crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
    Verification index = 0
    Target index = 2
[Authenticate Data]
    Verification index = 2
     Blocks =  0x10100000 0x0 0x1000 "image_to_be_encrypted"
[Install Secret Key]
    Verification index = 0
    Target index = 0
    Key = "dek.bin"
    Key Length = 256
    Blob address = 0x1017FFA0
[Decrypt Data]
    Verification index = 0
    Mac Bytes = 16
    Blocks = 0x10101000 0x1000 0xF000 "image_to_be_encrypted"


----- end file.csf -----


Now I am running:


./linux64/cst_encrypt --o encrypted.bin --i file.csf --cert ./crts/dek_protection_key.pem


The output is my signed and encrypted image. After this, I transfer the generated dek.bin to the imx6 board and create the key using the dek_blob function provided by uboot.


This output is attached to the image at the address 0x1017FFA0 and then padded to 0x80000.


When I transfer the image to my board, I have a little check function which checks whether the image is signed or not.


For this function I use the HAB function hab_status_t(* hab_rvt::run_csf)(const uint8_t *csf, uint8_t cid).


Using this function, I get no errors, but when I want to save the image I get this HAB event:


HAB Configuration: 0xcc HAB State: 0x99

---------- HAB EVENT 1 ----------
event data:
0xdb 0x00 0x1c 0x41 0x33 0x18 0xc0 0x1d
0xca 0x00 0x14 0x00 0x00 0xa3 0x00 0x00
0x00 0x00 0x0f 0x64 0x10 0x10 0x10 0x00
0x00 0x00 0xf0 0x00


I am pretty lost right now, I don't have any more ideas what I can do.


The image has a length of 0x80000 and is loaded to 0x10100000 in the boards RAM.


I have to mention, everything works smootly when I only use signed images.


I hope someone can help me.


Best wishes,