Encryption on imx6 cpus

friederbaumgrat · ‎11-27-2016

Dear NXP community,

since I am able to encrypt the uboot successfully, I can't boot the linux kernel image (uImage).

I noticed, l that the kernel stops initialisation when he wants to load the caam drivers.

When I use the [Unlock] command in my CSF file (with Engine = CAAM; Features = RNG) the kernel boots!

Without this command he stopps at said drivers.

I am using the code signing tool 2.3.2

So my question is, is this Unlock cammand necessary?

If so, why...

Regards,

Frieder Baumgratz

gary_bisson · ‎11-28-2016

Hi,

Please read the Secure Boot using HAB application note:

The section "3.3.2. RNG Trim fuses" explains that behavior.

Regards,

Gary

gary_bisson · ‎11-28-2016

Hi,

Please read the Secure Boot using HAB application note:

The section "3.3.2. RNG Trim fuses" explains that behavior.

Regards,

Gary

friederbaumgrat · ‎12-14-2016

I just noticed, that when I set the [Unlock] command (with Engine = CAAM; Features = RNG) I can no longer use the dek_blob function.

UBoot prints: RNG: Instantiation failed with error fffffffe

Regards,

Frieder

Yuri · ‎12-14-2016

Hello,

From section 3.3.2.2 [Option 2 – Defer RNG Instantiation for Post HAB

Software (Recommended Option)] of AN4581 :

"Any operations requiring the RNG are not available to software until it is initialized,

such as encryption and blob generation. This does not affect HAB-signed or encrypted

boot features"

Regards,

Yuri.

friederbaumgrat · ‎12-14-2016

Thank your for your answer.

Regards,

Frieder

friederbaumgrat · ‎11-28-2016

Hi,

thanks for your help.

Regards,

Frieder