AnsweredAssumed Answered

DEK reuse in CST for i.MX6

Question asked by michalhojsik on Apr 19, 2018
Latest reply on Oct 23, 2019 by town wang



I am working on encrypted boot on i.MX6 and I would like to use one DEK in several builds. The goal is to keep the same DEK and do not let CST to generate new DEK each time it runs.


In the "backend code" of the Code Signing Toll (CST), file $(CST-HOME)/code/back_end/src/adapt_layer_openssl.c, function "gen_auth_encrypted_data(...)" has arguments  "key_file" and "reuse_dek". However, there is not obvious way to provide this key_file name to the function.


After couple of tries I found out that the CST version 2.3.3 has a "hidden" command line argument "--dek" that (as I believe) should allow me to specify the DEK file name. Indeed, if I ran the tool with --dek argument, for example

../linux64/cst --o u-boot_csf.bin --i u-boot.csf --dek dek.bin

it does not complain and even prints some warning about key-reuse. However, then the tool crashes with "Segmentation fault (core dumped)".


So the question is: How can I reuse the DEK between CST runs?