I'm using swupdate with an A/B partition scheme to support software update on one of our projects running on an iMX6Q.
swupdate supports installing images encrypted with symmetric AES-256 keys as described here:
Basically you have to (temporarily at least) write the key as a single line in a file and run the swupdate command line utility with the file as an argument.
I need to a way to securely store the key on the device. This is the procedure I had in mind:
1) Use the CAAM in the MX6 to store an AES-256 key in the SNVS during manufacturing
2) Access the key from a root shell during software update
3) Write the key to a file in a volatile tmpfs
4) Run swupdate with the key
5) Nuke the key file and reboot
Is this possible? Do you guys have a better suggestion?