High Assurance Boot Certificate Validity

christopherpres · ‎06-11-2013

Hi,

I work on a Freescale i.mx28 and I use High Assurance Boot (HAB).

When creating certificates with the "hab4_pki_tree.sh" script, which is provided with the Code Signing Tool, I can enter a certificate validity duration of max. 20 years.

What happens after 20 year? Does the i.mx28 not boot anymore? Am I not able to sign software anymore? Or do I have to add new CSF and IMG certificates to sign software with them?

My questions are: Who checks the certificate duration and when? Which certificates have a limited duration (I assume the root-certificate has unlimited duration)?

Best regards,

Chris

rodz · ‎06-11-2013

Hi Chris,

Currently, if the validity period of the certificate expires nothing will happen. The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed. The intent is to enforce the cert validity periods with the code signing tool. However, feature has not yet been added and is planned as an update to the code signing tool.

Regards,

-Rod

在原帖中查看解决方案

rodz · ‎06-11-2013

Hi Chris,

Currently, if the validity period of the certificate expires nothing will happen. The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed. The intent is to enforce the cert validity periods with the code signing tool. However, feature has not yet been added and is planned as an update to the code signing tool.

Regards,

-Rod

gurukottur · ‎10-20-2016

Hi Rod,

Any update on the certificate expiry and certificate revocation and if the fuses can be revoked?

Regards,

Guru