AnsweredAssumed Answered

IMX6Q, encryption, & swupdate

Question asked by Erik Bolton on Jan 3, 2018
Latest reply on Jan 3, 2018 by Yuri Muhin

Hey All:


I'm using swupdate with an A/B partition scheme to support software update on one of our projects running on an iMX6Q.


swupdate supports installing images encrypted with symmetric AES-256 keys as described here:

Symmetrically Encrypted Update Images — Embedded Software Update Documentation 2017.11 documentation 


Basically you have to (temporarily at least) write the key as a single line in a file and run the swupdate command line utility with the file as an argument.


I need to a way to securely store the key on the device. This is the procedure I had in mind:


1) Use the CAAM in the MX6 to store an AES-256 key in the SNVS during manufacturing

2) Access the key from a root shell during software update

3) Write the key to a file in a volatile tmpfs

4) Run swupdate with the key

5) Nuke the key file and reboot


Is this possible? Do you guys have a better suggestion?



-Erik Bolton