Recently I've been tasked with adding encrypted boot to one of our products which runs the I.MX6 processor. I have it working here on development boards, but we also have many boards that have already shipped that we'd like to upgrade in the field. The processors are currently programmed for signed boot with SRKs in the fuses and the secure mode fuse blown. They also have several black key blobs stored in NAND. In order to avoid transferring a key as part of the upgrade we'd like to use one of the existing black keys on the system to create the DEK blob which is appended to U-Boot and used to decrypt the program code.
So far I've figured out how to create a DEK using a known red key and convince CSF to use it to encrypt our U-Boot image, and then confirmed that it boots. The issue is that I have only black keys on the target processors and need to be able to create a DEK blob from one of them.
That leads to a few questions:
1. What exactly does the HAB do when running an Install Secret Key instruction from a CSF? Is there any way to have it load a black key blob instead of red?
2. Is there any way I can convert a black key blob into a red key in secure memory?
In case it helps here is the job descriptor I am running to create the dek blob from a red key(taken from U-Boot's dek_blob function).
0xB0800009 # Header, length 9
0x14C00C08 # Load key 2
0x00105566 # AAD descriptor for wrapping
0xF0000010 # SEQ in
0x00100000 # Replaced with address of red key in secure memory
0xF8000040 # SEQ out
0x00000000 # Replaced with output address in gp memory
0x870D0008 # Protocol encapsulate blob from secure memory, red key