FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EDMK information

Go to solution
syedelec
Associate III

‎2023-09-25 07:20 AM - edited ‎2023-09-25 03:33 PM

Hello

I would like to understand the EDMK (Encryption Decryption Master Key). This key is used to decrypt and encrypt BL2 and FIP binaries.

Are there any other application of this key? For example, can it be used for LUKS ?
Is it possible to access some API to encrypt/decrypt using this key? Or is it reserved to the ROM code?

Thanks

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
OlivierK
ST Employee

‎2023-10-02 06:45 AM

Hello,

 

EDMK is mainly use for BL2 and FIP encryption/decryption (signingtool and romcode). 

We use dm-encrypt, but not with EDMK (through HW RNG in OP-TEE). I don't know about LUKS.

 

EDMK is also used in the SSP process to encrypt/decrypt the secrets. 

https://wiki.st.com/stm32mpu/wiki/How_to_deploy_SSP:_a_step-by-step_approach

It can be used elsewhere in a TA through OP-TEE for any AES processing. Upper OTPs could be made accessible through secure services but I don't know it it make sense to use the EDMK in this context.

https://github.com/linaro-swg/optee_examples

 

 

 

 

View solution in original post

0 Kudos
4 REPLIES 4
Go to solution
OlivierK
ST Employee

‎2023-10-02 06:45 AM

Hello,

 

EDMK is mainly use for BL2 and FIP encryption/decryption (signingtool and romcode). 

We use dm-encrypt, but not with EDMK (through HW RNG in OP-TEE). I don't know about LUKS.

 

EDMK is also used in the SSP process to encrypt/decrypt the secrets. 

https://wiki.st.com/stm32mpu/wiki/How_to_deploy_SSP:_a_step-by-step_approach

It can be used elsewhere in a TA through OP-TEE for any AES processing. Upper OTPs could be made accessible through secure services but I don't know it it make sense to use the EDMK in this context.

https://github.com/linaro-swg/optee_examples

 

 

 

 

0 Kudos
Go to solution
syedelec
Associate III
In response to OlivierK

‎2023-10-02 07:34 AM

Thank you for your reply, we will stick to its main use (BL2 and FIP encryption/decryption).

I have managed to build an encrypted TF-A and FIP binary with EDMK and EDMK is in the OTPs. Moreover, my device is closed now.
However I can see that booting TF-A (or FIP) that are not encrypted but signed is working.

Is there a way to force encryption check?

0 Kudos
Go to solution
OlivierK
ST Employee
In response to OlivierK

‎2023-10-11 03:54 AM

Hello, 
No as the encryption of a signed TF-A is only "optional" , there isn't a way to force encryption check in the bootrom (there isn't any OTP for that).  An encrypted TF-A with the wrong signature won't boot on a secure closed device.

0 Kudos
Go to solution
syedelec
Associate III

‎2023-10-13 02:36 AM

Thanks for the details.

0 Kudos
Top