Can we use HAB to decrypt a Linux image from u-boot?
I have an i.MX6DL device with secure boot enabled and I can successfully boot using HAB a signed and encrypted u-boot image. And from that u-boot image, I can then load a signed (but NOT encrypted) app image, use hab_auth_img to authenticate the image, and then launch it.
NOW I want to encrypt that app image and have hab_auth_img authenticate and decrypt it. I have modified the CSF script, made sure to select a new key slot (different than the one I use to auth u-boot) for the app's key, made sure to create a new dek_blob just for the app and append the blob to the app. But when I call the HAB authentication API (which should call run_csf to authenticate, install secret key, and decrypt), I get the following HAB error:
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
0xdb 0x00 0x14 0x41 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x01
0x16 0x00 0x6f 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Note that this is saying the "install secret key" command is an invalid command.
Am I getting HAB_INV_COMMAND because HAB won't allow me to install a secret key via API? Or can I be getting this error because something isn't configured properly in my CSF?