Tool/software:
how to enable encrypt/decrypt support for linux boot.bin and kernel linux.bin/recovery kernel? in sdk yocto build, I can see the scripts ti-k3-secdev/scripts/secure-binary-image.sh is used to sign each binary, but cannot find out where tiboot3.bin is signed. Also I see one presentation showing
## Loading kernel from FIT Image at 90000000 ...
Using 'k3 am62x lp sk.dtb' configuration
Authentication passed -- Kernel authentication
## Loading fdt from FIT Image at 90000000 ...
Using 'k3 am62x lp sk.dtb' configuration
Trying 'k3am62x lp sk.dtb' fdt subimage
Authentication passed -- Kernel DTB authentication
Booting using the fdt blob at 0x9076bc3c
but on AM62d-evm, kernel and kernel DTB does not sign.
Questions for TI security experts: For AM62D yocto build
1) where is tiboot3.bin is signed? and the script is used to sign?
2) where and how the kernel and kernel DTB are signed (and/or encrypted)? can you provide the example scripts to do that?
3) I see the code supporting signing but not encrypt/decrypt, but also seeing some documents mentioned encrypt/decrypt. could you point out where is the code (if available) and formal documents/links supporting encrypt/decrypt of boot images (tiboot3, tispl, u-boot etc) and kernel image (linux.bin/recovry kernel)? more specific and better.
Thanks Aiping