cancel
Showing results for 
Search instead for 
Did you mean: 

EDMK information

syedelec
Associate III

Hello

I would like to understand the EDMK (Encryption Decryption Master Key). This key is used to decrypt and encrypt BL2 and FIP binaries.

Are there any other application of this key? For example, can it be used for LUKS ?
Is it possible to access some API to encrypt/decrypt using this key? Or is it reserved to the ROM code?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
OlivierK
ST Employee

Hello,

 

EDMK is mainly use for BL2 and FIP encryption/decryption (signingtool and romcode). 

We use dm-encrypt, but not with EDMK (through HW RNG in OP-TEE). I don't know about LUKS.

 

EDMK is also used in the SSP process to encrypt/decrypt the secrets. 

https://wiki.st.com/stm32mpu/wiki/How_to_deploy_SSP:_a_step-by-step_approach

It can be used elsewhere in a TA through OP-TEE for any AES processing. Upper OTPs could be made accessible through secure services but I don't know it it make sense to use the EDMK in this context.

https://github.com/linaro-swg/optee_examples

 

 

 

 

View solution in original post

4 REPLIES 4
OlivierK
ST Employee

Hello,

 

EDMK is mainly use for BL2 and FIP encryption/decryption (signingtool and romcode). 

We use dm-encrypt, but not with EDMK (through HW RNG in OP-TEE). I don't know about LUKS.

 

EDMK is also used in the SSP process to encrypt/decrypt the secrets. 

https://wiki.st.com/stm32mpu/wiki/How_to_deploy_SSP:_a_step-by-step_approach

It can be used elsewhere in a TA through OP-TEE for any AES processing. Upper OTPs could be made accessible through secure services but I don't know it it make sense to use the EDMK in this context.

https://github.com/linaro-swg/optee_examples

 

 

 

 

Thank you for your reply, we will stick to its main use (BL2 and FIP encryption/decryption).

I have managed to build an encrypted TF-A and FIP binary with EDMK and EDMK is in the OTPs. Moreover, my device is closed now.
However I can see that booting TF-A (or FIP) that are not encrypted but signed is working.

Is there a way to force encryption check?

Hello, 
No as the encryption of a signed TF-A is only "optional" , there isn't a way to force encryption check in the bootrom (there isn't any OTP for that).  An encrypted TF-A with the wrong signature won't boot on a secure closed device.

syedelec
Associate III

Thanks for the details.