https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769811#M119541 <HTML><HEAD></HEAD><BODY><P>Hi Yuri.</P><P></P><P>I am using CST&nbsp;Rev. 2.3.1 so sorry if my questions are already answered in the updated document.</P><P>My questions are:</P><P></P><P>1)&nbsp;Why would someone want to use&nbsp;one key for CST signing and a different key for&nbsp;<SPAN>IMG signing when both&nbsp;keys are used by the same tool? I cannot see any advantage&nbsp;in it.</SPAN></P><P></P><P><SPAN>2) Certificates generated by the add_key.sh script have&nbsp;a validity interval based on user's input. Is HAB&nbsp;checking certificate validity during boot time?</SPAN></P><P></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Michal</SPAN></P></BODY></HTML> Thu, 07 Dec 2017 10:13:51 GMT michalhojsik 2017-12-07T10:13:51Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769807#M119537 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>I am using the authenticated boot feature of i.MX6ul and I would like to ask:</P><P></P><P>What is the advantage of using dedicated CSF and IMG signing keys compared to using directly the SRKs for signing (so-called "fast authentication")?</P><P></P><P>Regards,</P><P>Michal</P></BODY></HTML> Wed, 06 Dec 2017 16:53:27 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769807#M119537 michalhojsik 2017-12-06T16:53:27Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769808#M119538 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>&nbsp;&nbsp; Classical&nbsp;&nbsp;Public Key Infrastructure (PKI) approach allows to use multiple CSF and IMG keys,</P><P>say for different design teams.&nbsp;</P><P></P><P>Have a great day,<BR />Yuri</P><P></P><P>-----------------------------------------------------------------------------------------------------------------------<BR />Note: If this post answers your question, please click the Correct Answer button. Thank you!<BR />-----------------------------------------------------------------------------------------------------------------------</P></BODY></HTML> Thu, 07 Dec 2017 05:26:18 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769808#M119538 Yuri 2017-12-07T05:26:18Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769809#M119539 <HTML><HEAD></HEAD><BODY><P>Hi Yuri.</P><P>Thanks for your reply.</P><P>If the goal was to allow different teams to have different keys, why there are different keys for CSF signing and for image signing? Both CSF and image signatures are generated by the CST in one step.</P><P>Regards,</P><P>Michal</P></BODY></HTML> Thu, 07 Dec 2017 09:10:42 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769809#M119539 michalhojsik 2017-12-07T09:10:42Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769810#M119540 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>&nbsp; "Additional keys may be added to the tree later using a separate script."</P><P>&nbsp;You may look at section&nbsp;3.2.5 (Adding a Key to a HAB4 PKI Tree) of the recent CST (2.3.3) documentation.</P><P>&nbsp; Also, customers may use own CST (Appendix B Replacing the CST Backend Implementation)</P><P>&nbsp;</P><P></P><P>Regards,</P><P>Yuri.</P></BODY></HTML> Thu, 07 Dec 2017 09:38:24 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769810#M119540 Yuri 2017-12-07T09:38:24Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769811#M119541 <HTML><HEAD></HEAD><BODY><P>Hi Yuri.</P><P></P><P>I am using CST&nbsp;Rev. 2.3.1 so sorry if my questions are already answered in the updated document.</P><P>My questions are:</P><P></P><P>1)&nbsp;Why would someone want to use&nbsp;one key for CST signing and a different key for&nbsp;<SPAN>IMG signing when both&nbsp;keys are used by the same tool? I cannot see any advantage&nbsp;in it.</SPAN></P><P></P><P><SPAN>2) Certificates generated by the add_key.sh script have&nbsp;a validity interval based on user's input. Is HAB&nbsp;checking certificate validity during boot time?</SPAN></P><P></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Michal</SPAN></P></BODY></HTML> Thu, 07 Dec 2017 10:13:51 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769811#M119541 michalhojsik 2017-12-07T10:13:51Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769812#M119542 <HTML><HEAD></HEAD><BODY><P class=""><SPAN class="">Hello,</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class="">&nbsp;1.&nbsp;</SPAN></P><P class=""><SPAN class="">&nbsp; &nbsp; IMX boot ROM HAB implementation does not allow to<SPAN style="color: #51626f; background-color: #ffffff;"><SPAN>&nbsp;</SPAN>use&nbsp;one key for CST signing and </SPAN></SPAN></P><P class=""><SPAN class=""><SPAN style="color: #51626f; background-color: #ffffff;">a different key for&nbsp;</SPAN><SPAN style="color: #51626f; background-color: #ffffff; border: 0px;">IMG signing.</SPAN></SPAN></P><P class=""></P><P class=""><SPAN style="background-color: #ffffff; border: 0px; color: #51626f;">2.</SPAN></P><P class=""><SPAN style="background-color: #ffffff; border: 0px; color: #51626f;">&nbsp; Details of&nbsp;<SPAN style="color: #3d3d3d;"><SPAN>&nbsp;</SPAN>boot ROM HAB implementation are not provided publically.</SPAN></SPAN></P><P class=""><SPAN class="">Please create request / ticket.</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""><A class="link-titled" href="https://www.nxp.com/support/support:SUPPORTHOME?tid=sbmenu" title="https://www.nxp.com/support/support:SUPPORTHOME?tid=sbmenu">Support|NXP</A>&nbsp;&nbsp;</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">Have a great day,</SPAN></P><P class=""><SPAN class="">Yuri</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class="">------------------------------------------------------------------------------</SPAN></P><P class=""><SPAN class="">Note: If this post answers your question, please click the Correct Answer </SPAN></P><P class=""><SPAN class="">button. Thank you!</SPAN></P></BODY></HTML> Fri, 08 Dec 2017 02:16:25 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769812#M119542 Yuri 2017-12-08T02:16:25Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769813#M119543 <HTML><HEAD></HEAD><BODY><P>Hi Yuri.</P><P>Sorry, there was a typo in the first question - should be CSF signing and not CST signing. The question is:</P><P><SPAN style="color: #51626f; background-color: #ffffff;">1)&nbsp;Why would someone want to use&nbsp;one key for <STRONG>CSF</STRONG> signing and a different key for&nbsp;</SPAN><SPAN style="color: #51626f; background-color: #ffffff; border: 0px;">IMG signing when both&nbsp;keys are used by the same tool? I cannot see any advantage&nbsp;in it.</SPAN></P><P><SPAN style="color: #51626f; background-color: #ffffff; border: 0px;">CSF key is installed by the CSF command&nbsp;[Install CSFK], IMG key by the&nbsp;[Install Key] command.</SPAN></P><P><SPAN style="color: #51626f; background-color: #ffffff; border: 0px;">Regards,</SPAN></P><P><SPAN style="color: #51626f; background-color: #ffffff; border: 0px;">Michal</SPAN></P><P></P></BODY></HTML> Fri, 08 Dec 2017 11:53:10 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769813#M119543 michalhojsik 2017-12-08T11:53:10Z https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769814#M119544 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>&nbsp; The IMG also may be encrypted, CSF should be only signed.&nbsp; &nbsp;</P><P></P><P>Regards,</P><P>Yuri.</P></BODY></HTML> Mon, 11 Dec 2017 08:39:15 GMT https://community.nxp.com/t5/i-MX-Processors/Why-not-use-only-fast-authentication/m-p/769814#M119544 Yuri 2017-12-11T08:39:15Z