I was reading directions on encrypting u-boot image per Encrypted boot loader on SabreSD i.MX6q board but then at the end had the following statement (after step 18):
As a result we have encrypted boot image which can be loaded and executed by only current board. Because dek_blob.bin is unique per i.MX6 CPU.
If dek_blob is unique per i.MX6 chip/board then how would this be useful when image is for entire fleet of boards in the field? Having to create a dek_blob per unit would require a service return or worse generate dek_blob and encrypt in the field. And since the master key is unique per unit that wraps the dek creating the blob, can't make each HAB decrypt the same blob (also bad idea).
Now I don't see much need for encrypting UBoot image since a) Off-the-shelf and b) doesn't change much. However, I would like to create a single encrypted kernel uimage that "all" units can decrypt. Is that possible or maybe I'm missing something here....?