https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775637#M120428 <HTML><HEAD></HEAD><BODY><P>Dear Yuri,</P><P>&nbsp; &nbsp;我在不是virtual box到机器上试了一下，不会出现 random state错误。（可能是virtualbox的问题？）</P><P>&nbsp; &nbsp;谢谢！</P><P>&nbsp; &nbsp;</P><P></P><P>luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$ ./hab4_pki_tree.sh</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR /> This script is a part of the Code signing tools for Freescale's<BR /> High Assurance Boot. It generates a basic PKI tree. The PKI<BR /> tree consists of one or more Super Root Keys (SRK), with each<BR /> SRK having two subordinate keys: <BR /> + a Command Sequence File (CSF) key <BR /> + Image key. <BR /> Additional keys can be added to the PKI tree but a separate <BR /> script is available for this. This this script assumes openssl<BR /> is installed on your system and is included in your search <BR /> path. Finally, the private keys generated are password <BR /> protectedwith the password provided by the file key_pass.txt.<BR /> The format of the file is the password repeated twice:<BR /> my_password<BR /> my_password<BR /> All private keys in the PKI tree are in PKCS #8 format will be<BR /> protected by the same password.</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR />Do you want to use an existing CA key (y/n)?: n<BR />Enter key length in bits for PKI tree: 2048<BR />Enter PKI tree duration (years): 10<BR />How many Super Root Keys should be generated? 4<BR />Do you want the SRK certificates to have the CA flag set? (y/n)?: y<BR />A default 'serial' file was created!<BR />A default file 'key_pass.txt' was created with password = test!</P><P>+++++++++++++++++++++++++++++++++++++<BR />+ Generating CA key and certificate +<BR />+++++++++++++++++++++++++++++++++++++</P><P>Generating a 2048 bit RSA private key<BR />................................................................................................................................................+++<BR />.......................+++<BR />writing new private key to 'temp_ca.pem'<BR />-----</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />......................................+++<BR />.....................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:50 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................................................+++<BR />..............................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................+++<BR />..+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.......+++<BR />..............................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK2_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.......................................+++<BR />....................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.................................................+++<BR />...........+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />..............................................+++<BR />..............................................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK3_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />................................+++<BR />............................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.........................................+++<BR />..........................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.........................+++<BR />...................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK4_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />................................................................+++<BR />...................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................................................................................+++<BR />......................................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$ </P></BODY></HTML> Wed, 06 Jun 2018 16:10:36 GMT yongheluo_hotma 2018-06-06T16:10:36Z https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775633#M120424 <HTML><HEAD></HEAD><BODY><P>Dear Sir，</P><P>&nbsp; &nbsp; 我的平台是：i.mx6 solo</P><P>&nbsp; &nbsp;uboot软件版本是：U-Boot 2013.04</P><P></P><P>&nbsp; &nbsp;按照CST文档写入了SRK，并制作了CST文件，但是在uboot启动时仍然显示如下，请帮忙分析一下原因。谢谢！</P><P>====================================================</P><P>HAB Configuration: 0xf0, HAB State: 0x66</P><P>--------- HAB Event 1 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x08 0x41 0x33 0x22 0x0a 0x00</P><P>--------- HAB Event 2 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x00<BR /> 0x00 0x00 0x00 0x20</P><P>--------- HAB Event 3 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x2c<BR /> 0x00 0x00 0x02 0x38</P><P>--------- HAB Event 4 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x7f 0xb0 0x20<BR /> 0x00 0x00 0x00 0x01</P><P>--------- HAB Event 5 -----------------<BR /> event data:<BR /> 0xdb 0x00 0x14 0x41 0x33 0x0c 0xa0 0x00<BR /> 0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00<BR /> 0x00 0x00 0x00 0x04<BR /> MXC_ARM_CLK = 792000000Hz<BR /> MXC_DDR_CLK= 400000000Hz</P><P>==============================</P><P>&nbsp; &nbsp; &nbsp;谢谢！</P><P>&nbsp; &nbsp; Yonghe.Luo</P></BODY></HTML> Wed, 23 May 2018 06:56:51 GMT https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775633#M120424 yongheluo_hotma 2018-05-23T06:56:51Z https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775634#M120425 <HTML><HEAD></HEAD><BODY><P>Dear Sir,</P><P>&nbsp; &nbsp; 昨天看了nxp论坛上的一下讨论，目前问题已经解决了。</P><P>&nbsp; &nbsp; Thanks.</P><P>&nbsp; &nbsp; Yonghe.Luo</P></BODY></HTML> Thu, 24 May 2018 02:54:32 GMT https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775634#M120425 yongheluo_hotma 2018-05-24T02:54:32Z https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775635#M120426 <HTML><HEAD></HEAD><BODY><P class=""><SPAN class="">Hello,</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp;</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp; Appendix A (Interpreting HAB Event Data from Report_Event() API) of the “HAB4_API.pdf” </SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">in the CST package should be used to analyze HAB Events.</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp;</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;"><A href="https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL&amp;amp;appType=license&amp;amp;location=null&amp;fsrch=1&amp;sr=1&amp;pageNum=1&amp;Parent_nodeId=&amp;Parent_pageType">https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL&amp;amp;appType=license&amp;amp;location=null&amp;fsrch=1&amp;sr=1&amp;pageNum=1&amp;Parent_nodeId=&amp;Parent_pageType</A>=</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp;</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp;</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp; HAB event 1 in Your case has "HAB_INV_ADDRESS (0x22) reason, that is -</SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">Invalid address: access denied", please check if initialization via DCD table meet allowed addresses. </SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">&nbsp; Please take a look at Table 8-29 (Valid DCD Address Ranges) in i.MX 6Solo/6DualLite Reference Manual, </SPAN></P><P class=""><SPAN style="color: black; font-size: 12.0pt; font-family: 'Arial',sans-serif;">Rev. 3, 09/2017</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class="">Have a great day,</SPAN></P><P class=""><SPAN class="">Yuri</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class="">------------------------------------------------------------------------------</SPAN></P><P class=""><SPAN class="">Note: If this post answers your question, please click the Correct Answer </SPAN></P><P class=""><SPAN class="">button. Thank you!</SPAN></P></BODY></HTML> Thu, 24 May 2018 06:29:03 GMT https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775635#M120426 Yuri 2018-05-24T06:29:03Z https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775636#M120427 <HTML><HEAD></HEAD><BODY><P>Dear Yuri,</P><P>&nbsp; &nbsp; 我们在用CST3.0.1，运行hab4_pki_tree.sh时，得到如下结果，不知是否正常？</P><P>&nbsp; &nbsp;&nbsp;<SPAN>unable to write 'random state'</SPAN></P><P></P><P>&nbsp; &nbsp;（运行环境： ubuntu 14.04 64Bit）</P><P></P><P>&nbsp; 完整的log如下，谢谢！</P><P></P><P>yonghe@yonghe-VirtualBox:~/cst/cst3.0.1-release/keys$ ./hab4_pki_tree.sh</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR /> This script is a part of the Code signing tools for Freescale's<BR /> High Assurance Boot. It generates a basic PKI tree. The PKI<BR /> tree consists of one or more Super Root Keys (SRK), with each<BR /> SRK having two subordinate keys: <BR /> + a Command Sequence File (CSF) key <BR /> + Image key. <BR /> Additional keys can be added to the PKI tree but a separate <BR /> script is available for this. This this script assumes openssl<BR /> is installed on your system and is included in your search <BR /> path. Finally, the private keys generated are password <BR /> protectedwith the password provided by the file key_pass.txt.<BR /> The format of the file is the password repeated twice:<BR /> my_password<BR /> my_password<BR /> All private keys in the PKI tree are in PKCS #8 format will be<BR /> protected by the same password.</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR />Do you want to use an existing CA key (y/n)?: n<BR />Enter key length in bits for PKI tree: 2048<BR />Enter PKI tree duration (years): 10<BR />How many Super Root Keys should be generated? 4<BR />Do you want the SRK certificates to have the CA flag set? (y/n)?: y</P><P>+++++++++++++++++++++++++++++++++++++<BR />+ Generating CA key and certificate +<BR />+++++++++++++++++++++++++++++++++++++</P><P>Generating a 2048 bit RSA private key<BR />..................................+++<BR />..............+++<BR />unable to write 'random state'<BR />writing new private key to 'temp_ca.pem'<BR />-----<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />..................+++<BR />..................................................................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.......+++<BR />.........................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.....+++<BR />..............................................................................................................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.....................+++<BR />.........................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK2_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 14:25:16 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />..............+++<BR />.......+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />....+++<BR />.........................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />............+++<BR />............................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK3_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />...............................................................................+++<BR />...............................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:17 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />................................................................+++<BR />.......................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />............................................................+++<BR />....................................................................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK4_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.....................................+++<BR />..............................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:18 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />..............+++<BR />................................................................+++<BR />unable to write 'random state'<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 14:25:19 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />unable to write 'random state'<BR />unable to write 'random state'<BR />unable to write 'random state'</P></BODY></HTML> Wed, 06 Jun 2018 14:38:25 GMT https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775636#M120427 yongheluo_hotma 2018-06-06T14:38:25Z https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775637#M120428 <HTML><HEAD></HEAD><BODY><P>Dear Yuri,</P><P>&nbsp; &nbsp;我在不是virtual box到机器上试了一下，不会出现 random state错误。（可能是virtualbox的问题？）</P><P>&nbsp; &nbsp;谢谢！</P><P>&nbsp; &nbsp;</P><P></P><P>luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$ ./hab4_pki_tree.sh</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR /> This script is a part of the Code signing tools for Freescale's<BR /> High Assurance Boot. It generates a basic PKI tree. The PKI<BR /> tree consists of one or more Super Root Keys (SRK), with each<BR /> SRK having two subordinate keys: <BR /> + a Command Sequence File (CSF) key <BR /> + Image key. <BR /> Additional keys can be added to the PKI tree but a separate <BR /> script is available for this. This this script assumes openssl<BR /> is installed on your system and is included in your search <BR /> path. Finally, the private keys generated are password <BR /> protectedwith the password provided by the file key_pass.txt.<BR /> The format of the file is the password repeated twice:<BR /> my_password<BR /> my_password<BR /> All private keys in the PKI tree are in PKCS #8 format will be<BR /> protected by the same password.</P><P>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++<BR />Do you want to use an existing CA key (y/n)?: n<BR />Enter key length in bits for PKI tree: 2048<BR />Enter PKI tree duration (years): 10<BR />How many Super Root Keys should be generated? 4<BR />Do you want the SRK certificates to have the CA flag set? (y/n)?: y<BR />A default 'serial' file was created!<BR />A default file 'key_pass.txt' was created with password = test!</P><P>+++++++++++++++++++++++++++++++++++++<BR />+ Generating CA key and certificate +<BR />+++++++++++++++++++++++++++++++++++++</P><P>Generating a 2048 bit RSA private key<BR />................................................................................................................................................+++<BR />.......................+++<BR />writing new private key to 'temp_ca.pem'<BR />-----</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />......................................+++<BR />.....................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK1_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:50 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................................................+++<BR />..............................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 1 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................+++<BR />..+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG1_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.......+++<BR />..............................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK2_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.......................................+++<BR />....................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 2 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.................................................+++<BR />...........+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG2_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />..............................................+++<BR />..............................................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK3_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />................................+++<BR />............................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 3 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.........................................+++<BR />..........................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG3_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating SRK key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.........................+++<BR />...................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'SRK4_sha256_2048_65537_v3_ca'<BR />Certificate is to be certified until Jun 3 16:03:51 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating CSF key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />................................................................+++<BR />...................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'CSF4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated</P><P>++++++++++++++++++++++++++++++++++++++++<BR />+ Generating IMG key and certificate 4 +<BR />++++++++++++++++++++++++++++++++++++++++</P><P>Generating RSA private key, 2048 bit long modulus<BR />.............................................................................................+++<BR />......................................................................................................+++<BR />e is 65537 (0x10001)<BR />Using configuration from ../ca/openssl.cnf<BR />Check that the request matches the signature<BR />Signature ok<BR />The Subject's Distinguished Name is as follows<BR />commonName :ASN.1 12:'IMG4_1_sha256_2048_65537_v3_usr'<BR />Certificate is to be certified until Jun 3 16:03:52 2028 GMT (3650 days)</P><P>Write out database with 1 new entries<BR />Data Base Updated<BR />luoyonghe@luoyonghe-Latitude-5480:~/cst/release/keys$ </P></BODY></HTML> Wed, 06 Jun 2018 16:10:36 GMT https://community.nxp.com/t5/i-MX-Processors/uboot-%E5%8A%A0%E5%85%A5Secure-boot%E5%8A%9F%E8%83%BD-%E4%B8%94%E5%8A%A0%E5%85%A5%E7%9A%84CST%E7%94%9F%E6%88%90%E7%9A%84%E7%AD%BE%E5%90%8D%E6%96%87%E4%BB%B6-%E7%83%A7%E5%86%99%E8%BF%9B%E5%8E%BB%E5%90%8E%E4%BB%8D%E7%84%B6%E6%8F%90%E7%A4%BA%E9%94%99%E8%AF%AF/m-p/775637#M120428 yongheluo_hotma 2018-06-06T16:10:36Z