[U-Boot] AES: Encryption of u-boot.img
Michael Trimarchi
michael at amarulasolutions.com
Fri Sep 13 19:28:35 CEST 2013
Hi
On Fri, Sep 13, 2013 at 4:57 PM, bin4ry <0xbin4ry at gmail.com> wrote:
> Hi everyone,
>
> I want to implement a minimal secure boot architecture into u-boot by
> letting the u-boot.img be decrypted during SPL execution. Thus, the
> u-boot.img is present on the MMC in an encrypted version. I already
> implemented a basic AES-128 en-/decryption algorithm into the SPL.
>
> Everything will be implement on a PandaBoard (OMAP4460). Now my
> questions are:
>
> 1.) What would be the general architecture? u-boot.img is loaded into
> external memory (DRAM)at address 0x80100000. To decrypt it, the whole
> file needs to be processed by SPL, which will not be able to load the
> data since the SPL can not exceed a certain size (~49 kByte I guess).
>
> -> Thus, would it be somehow possible to implement the algorithm in
> the SPL but let the u-boot.img data be stored in DRAM for processing?
>
> 2.) Furthermore, where could be a good place to put the actual algorithm
> in? I figured that in my situation the function call flow is something
> like this:
>
> ... > omap_boot_device() > boot_device() > spl_mmc_load_image() >
> mmc_load_image_fat > file_fat_read() > do_fat_read()
... > omap_boot_device() > boot_device() > spl_mmc_load_image()
>file_fat_read() > do_fat_read()
I don't understand you can decrypt it after load. Why just verify the signature?
Michael
>>_jump_to_image_noargs() where u-boot.img is eventually called using the
> image_entry() function.
>
>
> Thanks a lot,
> -b
>
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
More information about the U-Boot
mailing list