xref: /openbmc/u-boot/doc/imx/habv4/guides/encrypted_boot.txt (revision b89074f65047c4058741ed2bf3e6ff0c5af4c5bc)

1. Setup U-Boot Image for Encrypted Boot
----------------------------------------
An authenticated U-Boot image is used as starting point for
Encrypted Boot. The image is encrypted by i.MX Code Signing
Tool (CST). The CST replaces only the image data of
u-boot-dtb.imx with the encrypted data. The Initial Vector Table,
DCD, and Boot data, remains in plaintext.

The image data is encrypted with a Encryption Key (DEK).
Therefore, this key is needed to decrypt the data during the
booting process. The DEK is protected by wrapping it in a Blob,
which needs to be appended to the U-Boot image and specified in
the CSF file.

The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
needs to have the following configurations enabled in Kconfig:

CONFIG_SECURE_BOOT=y
CONFIG_CMD_DEKBLOB=y

Note: The encrypted boot feature is only supported by HABv4 or
greater.

The dek_blob command then can be used to generate the DEK blob of
a DEK previously loaded in memory. The command is used as follows:

dek_blob <DEK address> <Output Address> <Key Size in Bits>
example: dek_blob 0x10800000 0x10801000 192

The resulting DEK blob then is used to construct the encrypted
U-Boot image. Note that the blob needs to be transferred back
to the host.Then the following commands are used to construct
the final image.

cat u-boot-dtb.imx csf-u-boot.bin > u-boot-signed.imx
objcopy -I binary -O binary --pad-to <blob_dst> --gap-fill=0x00 \
    u-boot-signed.imx u-boot-signed-pad.bin
cat u-boot-signed-pad.imx DEK_blob.bin > u-boot-encrypted.imx

    NOTE: u-boot-signed.bin needs to be padded to the value
    equivalent to the address in which the DEK blob is specified
    in the CSF.