diff options
author | Raul Cardenas <Ulises.Cardenas@freescale.com> | 2015-02-27 11:22:06 -0600 |
---|---|---|
committer | Stefano Babic <sbabic@denx.de> | 2015-03-02 09:57:06 +0100 |
commit | 0200020bc2b8192c31dc57c600865267f51bface (patch) | |
tree | 77e47e958773096b7cb53c20a0c6a1f4d83e46d8 /doc/README.mxc_hab | |
parent | b5cd10b911f632f74e1211ef786989781d2a1ca1 (diff) | |
download | u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.zip u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.gz u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.bz2 |
imx6: Added DEK blob generator command
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.
During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process, is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.
Commands added
--------------
dek_blob - encapsulating DEK as a cryptgraphic blob
Commands Syntax
---------------
dek_blob src dst len
Encapsulate and create blob of a len-bits DEK at
address src and store the result at address dst.
Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>
Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>
Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
Diffstat (limited to 'doc/README.mxc_hab')
-rw-r--r-- | doc/README.mxc_hab | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/README.mxc_hab b/doc/README.mxc_hab index 43e64a2..e9340dd 100644 --- a/doc/README.mxc_hab +++ b/doc/README.mxc_hab @@ -46,3 +46,51 @@ cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx NOTE: U-Boot_CSF.bin needs to be padded to the value specified in the imximage.cfg file. + +Setup U-Boot Image for Encrypted Boot +------------------------------------- +An authenticated U-Boot image is used as starting point for +Encrypted Boot. The image is encrypted by Freescale's Code +Signing Tool (CST). The CST replaces only the image data of +u-boot.imx with the encrypted data. The Initial Vector Table, +DCD, and Boot data, remains in plaintext. + +The image data is encrypted with a Encryption Key (DEK). +Therefore, this key is needed to decrypt the data during the +booting process. The DEK is protected by wrapping it in a Blob, +which needs to be appended to the U-Boot image and specified in +the CSF file. + +The DEK blob is generated by an authenticated U-Boot image with +the dek_blob cmd enabled. The image used for DEK blob generation +needs to have the following configurations enabled: + +CONFIG_SECURE_BOOT +CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */ +CONFIG_FSL_CAAM +CONFIG_CMD_DEKBLOB + +Note: The encrypted boot feature is only supported by HABv4 or +greater. + +The dek_blob command then can be used to generate the DEK blob of +a DEK previously loaded in memory. The command is used as follows: + +dek_blob <DEK address> <Output Address> <Key Size in Bits> +example: dek_blob 0x10800000 0x10801000 192 + +The resulting DEK blob then is used to construct the encrypted +U-Boot image. Note that the blob needs to be transferred back +to the host.Then the following commands are used to construct +the final image. + +objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 \ + U-Boot_CSF.bin U-Boot_CSF_pad.bin +cat u-boot.imx U-Boot_CSF_pad.bin > u-boot-signed.imx +objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ + u-boot-signed.imx u-boot-signed-pad.bin +cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx + + NOTE: u-boot-signed.bin needs to be padded to the value + equivalent to the address in which the DEK blob is specified + in the CSF. |