On 17 February 2015 at 13:14, Ulises.Cardenas@freescale.com wrote:
From: Raul Cardenas Ulises.Cardenas@freescale.com
Freescale's SEC block has built-in Data Encryption Key(DEK) Blob Protocol which provides a method for protecting a DEK for non-secure memory storage. SEC block protects data in a data structure called a Secret Key Blob, which provides both confidentiality and integrity protection. Every time the blob encapsulation is executed, a AES-256 key is randomly generated to encrypt the DEK. This key is encrypted with the OTP Secret key from SoC. The resulting blob consists of the encrypted AES-256 key, the encrypted DEK, and a 16-bit MAC.
During decapsulation, the reverse process is performed to get back the original DEK. A caveat to the blob decapsulation process, is that the DEK is decrypted in secure-memory and can only be read by FSL SEC HW. The DEK is used to decrypt data during encrypted boot.
Commands added
dek_blob - encapsulating DEK as a cryptgraphic blob
Commands Syntax
dek_blob src dst len
Encapsulate and create blob of a len-bits DEK at address src and store the result at address dst.Signed-off-by: Raul Cardenas Ulises.Cardenas@freescale.com Signed-off-by: Nitin Garg nitin.garg@freescale.com
Signed-off-by: Ulises Cardenas ulises.cardenas@freescale.com
Reviewed-by: Simon Glass sjg@chromium.org