How to use existing Black Key blobs for HAB encrypted boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use existing Black Key blobs for HAB encrypted boot

881 Views
davidwinn
Contributor I

Recently I've been tasked with adding encrypted boot to one of our products which runs the I.MX6 processor. I have it working here on development boards, but we also have many boards that have already shipped that we'd like to upgrade in the field. The processors are currently programmed for signed boot with SRKs in the fuses and the secure mode fuse blown. They also have several black key blobs stored in NAND. In order to avoid transferring a key as part of the upgrade we'd like to use one of the existing black keys on the system to create the DEK blob which is appended to U-Boot and used to decrypt the program code.

So far I've figured out how to create a DEK using a known red key and convince CSF to use it to encrypt our U-Boot image, and then confirmed that it boots. The issue is that I have only black keys on the target processors and need to be able to create a DEK blob from one of them.

That leads to a few questions:
1. What exactly does the HAB do when running an Install Secret Key instruction from a CSF? Is there any way to have it load a black key blob instead of red?

2. Is there any way I can convert a black key blob into a red key in secure memory?

Thanks,

David

In case it helps here is the job descriptor I am running to create the dek blob from a red key(taken from U-Boot's dek_blob function).
0xB0800009    # Header, length 9
0x14C00C08    # Load key 2
0x00105566    # AAD descriptor for wrapping
0x00000000
0xF0000010    # SEQ in
0x00100000    # Replaced with address of red key in secure memory
0xF8000040    # SEQ out
0x00000000    # Replaced with output address in gp memory
0x870D0008    # Protocol encapsulate blob from secure memory, red key

Labels (2)
0 Kudos
1 Reply

518 Views
Yuri
NXP Employee
NXP Employee

Hello,

   Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a Service Request (SR).

Support|NXP 

Have a great day,
Yuri

-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------

0 Kudos