AnsweredAssumed Answered

IMX6Q, encryption, & swupdate

Question asked by Erik Bolton on Jan 3, 2018
Latest reply on Jan 3, 2018 by Yuri Muhin

Hey All:

 

I'm using swupdate with an A/B partition scheme to support software update on one of our projects running on an iMX6Q.

 

swupdate supports installing images encrypted with symmetric AES-256 keys as described here:

Symmetrically Encrypted Update Images — Embedded Software Update Documentation 2017.11 documentation 

 

Basically you have to (temporarily at least) write the key as a single line in a file and run the swupdate command line utility with the file as an argument.

 

I need to a way to securely store the key on the device. This is the procedure I had in mind:

 

1) Use the CAAM in the MX6 to store an AES-256 key in the SNVS during manufacturing

2) Access the key from a root shell during software update

3) Write the key to a file in a volatile tmpfs

4) Run swupdate with the key

5) Nuke the key file and reboot

 

Is this possible? Do you guys have a better suggestion?

 

Thanks.

-Erik Bolton

Outcomes