Hi, I'm stuck in building a secure board imx6UL. At the moment I'm able to sign and encrypt the u-boot and run it from sd.
Now I want to continue the chain of trust validating every loaded image.
- I modified u-boot in order to use default environment.
- I prepared a bootscript signed that contains the remaining part of the boot
- I modify the automatic boot sequence bootcmd with my personal sequence that load from sd and verify the signature of bootscript with hab_auth_img command.
- From bootscript with a well defined sequence i load from sd a signed kernel and a signed device tree, verify their signature and if all ok start kernel.
1) First question is: the procedure is correct? There is a better way than modify uboot and using hab_auth_image? There are other ways? ( give me a clue)
2) Suppose that the sign verification I implemented is correct. I want that loaded images are also encrypted to have confidentiality. I enabled in u-boot CMD_BLOB, that i suppose able to encrypt my datas, but cmd blob enc doesn't work. There are other config to set before use this cmd?