AM6442: zero-padding of encrypted binary for secure boot

Raimar Sandner

Part Number: AM6442

Tool/software:

I have a question regarding the zero-padding of encrypted binaries for secure boot, as outlined in the TISCI documentation. The System Firmware Encryption Extension does not provide information about the number of padding bytes added, and the imageSize field of the System Firmware Image Integrity Extension accounts for the total length of the encrypted binary, padding included.

Upon decryption, how does the System Firmware remove the padding? While padding schemes like PKCS#7 offer a clear method to determine the padding length, this is not the case with plain zero-byte padding.

Thank you for your help!

6 months ago

+1 Prashant Shivhare 6 months ago

TI__Guru 68861 points

Hello,

The SYSFW has the provision of padding bytes for 16 byte alignment primarily for reading the 32 bytes padded random string. It does not really manipulate the zero padded bytes in any way.

Regards,

Prashant

0 Raimar Sandner 6 months ago in reply to Prashant Shivhare

Prodigy 50 points

To sum it up: When the image is authenticated, decrypted, and moved to the destination as specified in the System Firmware Encryption Extension (1.3.6.1.4.1.294.1.4.), we don't need to worry about any additional zero bytes that might be present. This is because a boot image remains invariant with respect to the appended bytes. Thanks for the clarification!

0 Prashant Shivhare 6 months ago in reply to Raimar Sandner

TI__Guru 68861 points

Raimar Sandner said:
To sum it up: When the image is authenticated, decrypted, and moved to the destination as specified in the System Firmware Encryption Extension (1.3.6.1.4.1.294.1.4.), we don't need to worry about any additional zero bytes that might be present. This is because a boot image remains invariant with respect to the appended bytes.

That is exactly correct.

Thanks!

Processors

Processors forum

AM6442: zero-padding of encrypted binary for secure boot