Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • early-display
  • variant-emmc-nvme-boot
  • 2023-01-25
  • v3
  • variant-emmc-nvme-boot
  • 2020-06-01
7 results
Blame Permalink
Forked from Reform / reform-boundary-uboot
Source project has a limited visibility.
  • Raul Cardenas's avatar
    0200020b
    imx6: Added DEK blob generator command · 0200020b
    Raul Cardenas authored 
    
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: default avatarRaul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: default avatarNitin Garg <nitin.garg@freescale.com>

Signed-off-by: default avatarUlises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: default avatarUlises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
    0200020b
    History
    imx6: Added DEK blob generator command
    Raul Cardenas authored 
    
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: default avatarRaul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: default avatarNitin Garg <nitin.garg@freescale.com>

Signed-off-by: default avatarUlises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: default avatarUlises Cardenas-B45798 <Ulises.Cardenas@freescale.com>