AnsweredAssumed Answered

Encrypted XiP on flexspi nor on RT1052. Signature needed?

Question asked by Paride Russo on Jan 16, 2020
Latest reply on Jan 20, 2020 by Felipe García


I'm trying to to do encrypted XiP on flexspi nor on the rt1052 but I'm having some difficulties to understand the whole process.

I'm already going through lots of pdfs including Flashloader, elftosb, HAB code signing, etc.


What I have got so far but I'm unsure about is:


  • Encrypted XiP through flash serial nor does not need HAB part, hence there's no need to prepare the CSF part in the image.
  • If the above is true, do I need to set the mcu in closed mode? Because if the BEE decrypts in real-time the image then there's actually "no safe boot happening" from my understanding, but just an on the fly decryption that is transparent to the cpu; so I should be able to do encrypted XiP also in open/fab mode.
  • If the HAB is not involved and the private master key is set into SW_GP2 instead of OTPMK then I don't need to generate the private/public key because there will be no hashing of the key.


Now if I what I wrote is correct, assuming that I programmed my private key in the SW_GP2 fuses and that I set BEE_KEY0_SEL to point to SW_GP2 then I need to generate a secure binary file that will be driven by a bd file so that:

  • I define a prdb block
  • I define a keyblob


But where is encryption really happening? Is it during download phase that BEE encrypts on the fly? Or is it the elftosb tool that encrypts on pc side as secure binary?


Is there a particular pdf or manual that I can follow here? because most of what I'finding is explaining HAB or encryption but not the XiP one.