[U-Boot] AES: Encryption of u-boot.img
bin4ry
0xbin4ry at gmail.com
Fri Sep 13 16:57:20 CEST 2013
Hi everyone,
I want to implement a minimal secure boot architecture into u-boot by
letting the u-boot.img be decrypted during SPL execution. Thus, the
u-boot.img is present on the MMC in an encrypted version. I already
implemented a basic AES-128 en-/decryption algorithm into the SPL.
Everything will be implement on a PandaBoard (OMAP4460). Now my
questions are:
1.) What would be the general architecture? u-boot.img is loaded into
external memory (DRAM)at address 0x80100000. To decrypt it, the whole
file needs to be processed by SPL, which will not be able to load the
data since the SPL can not exceed a certain size (~49 kByte I guess).
-> Thus, would it be somehow possible to implement the algorithm in
the SPL but let the u-boot.img data be stored in DRAM for processing?
2.) Furthermore, where could be a good place to put the actual algorithm
in? I figured that in my situation the function call flow is something
like this:
... > omap_boot_device() > boot_device() > spl_mmc_load_image() >
mmc_load_image_fat > file_fat_read() > do_fat_read()
>_jump_to_image_noargs() where u-boot.img is eventually called using the
image_entry() function.
Thanks a lot,
-b
More information about the U-Boot
mailing list