Encryption of kernel,rootfs, etc with OTPMK

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encryption of kernel,rootfs, etc with OTPMK

543 Views
kpdeshpande08
Contributor I

Hi,

I am implementing secure boot from SD card on LS1043ARDB. For which I have blown all necessary flags i.e OTPMK and SRKH. I want to implement chain of trust with confidentiality for which I enabled encap and decap bootscripts. After creating and flashing secure image in SD card I booted the LS1043ARDB board. After that when I connected SD card to laptop I found the contents of SD card (like rootfs, etc) are accessible whearas it is expected that those contents should be unaccessible. So it means the SD card contents are not properly encrypted. What do I need to do to make sure that the kernel, rootfs, etc in SD card are encrypted properly? How will I validate that?

0 Kudos
1 Reply

465 Views
bpe
NXP Employee
NXP Employee

Your observations are as expected and are not an indication of an
encryption failure.  Secure Boot image encapsulation
script does not perform encryption-in-place of the root filesystem
and/or Linux kernel, it is not an encrypted filesystem implementation.
It only exercises the hardware encryption engine
to create special binary structures called blobs. You can find details
about this feature in LS1043SECRM, Section 12.6. This blob binary
can be stored in Flash or on SD card or in any other memory. Conversely, the
decapsulation script reads a blob and unencrypts it to memory, so
the confidentiality boot scenario is a flavour of ramboot. The
original unencrypted images are not erased, although they are not
used after the encapsulation script have created and
saved the blobs necessary for booting. If your decapsulation
script does not return any errors and lets your system boot out of the
decapsulated images, it is a sufficient indication that everything
works properly.


Have a great day,
Platon

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos