Show Contents

5. Program the encrypted U-Boot image on a closed device

Once the device has been closed, the encryption uses the unique and secure OTPMK (One Time Programmable Master Key). The update process will encrypt the DEK into an encrypted blob and store it in the U-Boot partition. This must happen with the unique secure OTPMK, so be sure final programming happens after the device has been closed and restarted.

There are two ways to flash an encrypted U-Boot image—by securing a new DEK and reusing an existing one.

Secure a new DEK

Use this method if you are using encrypted images for the first time, or if you want to change the DEK. In this case, you need two input artifacts:

Use the following command to flash the encrypted U-Boot image:

=> trustfence update tftp u-boot-encrypted-ccimx6ulsbc.imx dek.bin

With the above command, the U-Boot image is flashed and the DEK is secured and stored in the uboot partition.

On an open device, the encryption uses the test master key, while on a closed device the encryption uses the unique and secure OTPMK. For that reason, the final programming of the encrypted U-Boot image must be done after closing the device and resetting.

The DEK blob is secured only if a closed device was used. When using an open device, the DEK blob is not secured and both the DEK in plain text and the decrypted U-Boot could be recovered from the media.

The device now boots into a signed and encrypted U-Boot.

You can always recover a closed device by booting a properly signed U-Boot from recovery media. See Recover your device.

Reuse an existing DEK

When a new U-Boot image is required (for example, for new features) but the same DEK is used, you don't need to send the plain text DEK again. This is useful for updates performed in the field.

In this case, use the same command as when securing a new DEK but omit the DEK argument:

=> trustfence update tftp u-boot-encrypted-ccimx6ulsbc.imx

The U-Boot image being flashed must be encrypted with the existing DEK secured in the device. If the device does not have a DEK secured, the command will fail.

CAUTION! If a different DEK is used, the device will stop booting.

 

© 2018 Digi International Inc. All rights reserved.
5. Program the encrypted U-Boot image on a closed device updated on 22 January 2018 02:43:38 PM

DOCUMENT RESOURCES

DIGI RESOURCES

Copyright

Product page

More documentation

Download PDF PDF

About us

Contact us

Support

twitter facebook linked in youtube