- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
- Home
- :
- i.MX Security
- :
- Knowledge Base
- :
- Optional Extended Key Usage x.509 Extension not Supported
Optional Extended Key Usage x.509 Extension not Supported
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Optional Extended Key Usage x.509 Extension not Supported
Optional Extended Key Usage x.509 Extension not Supported
Background
i.MX devices using High Assurance Boot (HAB) support Public Key Infrastructure (PKI) support using X.509v3 certificates.
The certificates support optional extensions that are used to provide additional attributes together with the public key and are either critical or non-critical. A certificate must be rejected if a critical extension cannot be handled properly while a non-critical extension may be ignored. The extensions can be seen as an additional protocol between a certificate issuer and an application.
Issue
A device configured in a security enabled configuration may not boot when using optional extendedKeyUsage attribute.The issue has been identified in the High Assurance Boot (HAB) during the parsing of a X.509 certificate in a security enabled configuration (SEC_CONFIG[1] eFUSE is programmed). The issue is with the MMU configuration in the ROM that is affecting the cache coherency when using this particular optional x.509 extension, preventing the device from booting. This issue does not have any security implications and is unrelated to the previous x509 vulnerability.
Impacted Devices
- All i.MX6 devices including the latest silicon revisions with the ROM updates are subject to this cache coherency limitation when using extendedKeyUsage
- Only impacts devices configured in a security enabled mode. Designs not using security enabled mode are not affected.
Workarounds
The recommended workarounds is to not use this optional extendedKeyUsage attribute as it prevents the coherency issue
- If the customer insists on the use of extendedKeyUsage , then the other potential workaround is to disable MMU/cache during Boot.
- This work around disables the MMU and will hence also prevent coherency issues on their device, however disabling the MMU/Cache does have some performance limitations - increasing the boot time
Security Implications
There are security implications if the certificate issuer wants to set the extendedKeyUsage extension as a critical extension.
In this case, the certificate issuer wants to narrow down the possible contexts where the certificates will be usable, meaning it is very likely that the certificate will be rejected in a general context. There is a need to align the certificate issuer and the application.
