| 1. Setup U-Boot Image for Encrypted Boot |
| ---------------------------------------- |
| An authenticated U-Boot image is used as starting point for |
| Encrypted Boot. The image is encrypted by i.MX Code Signing |
| Tool (CST). The CST replaces only the image data of |
| u-boot-dtb.imx with the encrypted data. The Initial Vector Table, |
| DCD, and Boot data, remains in plaintext. |
| |
| The image data is encrypted with a Encryption Key (DEK). |
| Therefore, this key is needed to decrypt the data during the |
| booting process. The DEK is protected by wrapping it in a Blob, |
| which needs to be appended to the U-Boot image and specified in |
| the CSF file. |
| |
| The DEK blob is generated by an authenticated U-Boot image with |
| the dek_blob cmd enabled. The image used for DEK blob generation |
| needs to have the following configurations enabled in Kconfig: |
| |
| CONFIG_SECURE_BOOT=y |
| CONFIG_CMD_DEKBLOB=y |
| |
| Note: The encrypted boot feature is only supported by HABv4 or |
| greater. |
| |
| The dek_blob command then can be used to generate the DEK blob of |
| a DEK previously loaded in memory. The command is used as follows: |
| |
| dek_blob <DEK address> <Output Address> <Key Size in Bits> |
| example: dek_blob 0x10800000 0x10801000 192 |
| |
| The resulting DEK blob then is used to construct the encrypted |
| U-Boot image. Note that the blob needs to be transferred back |
| to the host.Then the following commands are used to construct |
| the final image. |
| |
| cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx |
| objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \ |
| u-boot-signed.imx u-boot-signed-pad.bin |
| cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx |
| |
| NOTE: u-boot-signed.bin needs to be padded to the value |
| equivalent to the address in which the DEK blob is specified |
| in the CSF. |