https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960874#M143372 <HTML><HEAD></HEAD><BODY><P>(I asked the same question on the security&nbsp;stack exchange website.&nbsp; I'm doing what is largely and cut and paste here with a few more things)</P><P></P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">High Availability Boot (HAB) is a technique described<SPAN>&nbsp;</SPAN><A href="https://www.nxp.com/docs/en/application-note/AN4581.pdf" rel="nofollow noreferrer" style="color: rgba(61, 133, 176, 0.8); border: 0px; font-weight: inherit; text-decoration: underline;">here</A><SPAN>&nbsp;</SPAN>in an NxP application note.&nbsp;The procedure burns Super Root Key (SRK) fuses using a software tool called<SPAN>&nbsp;</SPAN><SPAN style="border: 0px; font-weight: bold;"><STRONG>srktool</STRONG></SPAN>. In it's proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 1.3.6.1.5.5.7.3.3.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">However, there doesn't appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 1.3.6.1.5.5.7.3.2.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">The problem is that if I have two certificates from the same CA:</P><OL style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em 30px;"><LI style="border: 0px; font-weight: inherit; margin: 0px 0px 0.5em;">Code-signing certificate</LI><LI style="border: 0px; font-weight: inherit;">Client certificate</LI></OL><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">The only option is use different CAs for both code-signing and client certs. I'm wondering if there's some way to check the OIDs?</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">From this&nbsp;<A href="https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html">blog post</A>&nbsp;it suggests that entire certificate is parsed.&nbsp; Can I enforce the KeyUsage check in the INSTALL_KEY CSF Command?</P></BODY></HTML> Wed, 23 Oct 2019 23:58:23 GMT simonboland 2019-10-23T23:58:23Z https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960874#M143372 <HTML><HEAD></HEAD><BODY><P>(I asked the same question on the security&nbsp;stack exchange website.&nbsp; I'm doing what is largely and cut and paste here with a few more things)</P><P></P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">High Availability Boot (HAB) is a technique described<SPAN>&nbsp;</SPAN><A href="https://www.nxp.com/docs/en/application-note/AN4581.pdf" rel="nofollow noreferrer" style="color: rgba(61, 133, 176, 0.8); border: 0px; font-weight: inherit; text-decoration: underline;">here</A><SPAN>&nbsp;</SPAN>in an NxP application note.&nbsp;The procedure burns Super Root Key (SRK) fuses using a software tool called<SPAN>&nbsp;</SPAN><SPAN style="border: 0px; font-weight: bold;"><STRONG>srktool</STRONG></SPAN>. In it's proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 1.3.6.1.5.5.7.3.3.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">However, there doesn't appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 1.3.6.1.5.5.7.3.2.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">The problem is that if I have two certificates from the same CA:</P><OL style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em 30px;"><LI style="border: 0px; font-weight: inherit; margin: 0px 0px 0.5em;">Code-signing certificate</LI><LI style="border: 0px; font-weight: inherit;">Client certificate</LI></OL><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">The only option is use different CAs for both code-signing and client certs. I'm wondering if there's some way to check the OIDs?</P><P style="color: #242729; background-color: #ffffff; border: 0px; margin: 0px 0px 1em;">From this&nbsp;<A href="https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html">blog post</A>&nbsp;it suggests that entire certificate is parsed.&nbsp; Can I enforce the KeyUsage check in the INSTALL_KEY CSF Command?</P></BODY></HTML> Wed, 23 Oct 2019 23:58:23 GMT https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960874#M143372 simonboland 2019-10-23T23:58:23Z https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960875#M143373 <HTML><HEAD></HEAD><BODY><P class=""><SPAN class="">Hello,</SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">&nbsp; Customers can use CST sources, provided with the recent CST 3.2.0,</SPAN></P><P class=""><SPAN class="">in order to clarify CST using details.</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class=""><A class="link-titled" href="https://www.nxp.com/webapp/Download?colCode=IMX_CST3.2.0_TOOL&amp;location=null" title="https://www.nxp.com/webapp/Download?colCode=IMX_CST3.2.0_TOOL&amp;location=null">https://www.nxp.com/webapp/Download?colCode=IMX_CST3.2.0_TOOL</A></SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class=""></SPAN></P><P class=""><SPAN class="">Have a great day,</SPAN></P><P class=""><SPAN class="">Yuri</SPAN></P><P class=""><SPAN class="">&nbsp;</SPAN></P><P class=""><SPAN class="">-------------------------------------------------------------------------------</SPAN></P><P class=""><SPAN class="">Note:</SPAN></P><P class=""><SPAN class="">- If this post answers your question, please click the "Mark Correct" button. Thank you!</SPAN></P><P class=""><SPAN class="">- We are following threads for 7 weeks after the last post, later replies are ignored</SPAN></P><P class=""><SPAN class="">Please open a new thread and refer to the closed one, if you have a related question at a later point in time.</SPAN></P></BODY></HTML> Mon, 28 Oct 2019 06:06:02 GMT https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960875#M143373 Yuri 2019-10-28T06:06:02Z https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960876#M143374 <HTML><HEAD></HEAD><BODY><P>Hi Yuri,&nbsp;</P><P></P><P>Does it mean that I can modify the CST tool to customise it to support a check of the OIDs?&nbsp;&nbsp;</P><P></P><P>I was looking at this but wasn't sure where to make the necessary change.&nbsp; If you can point me to the specific area or give me more details that would be great.</P><P></P><P>Regards,</P><P>Simon</P></BODY></HTML> Mon, 28 Oct 2019 06:33:15 GMT https://community.nxp.com/t5/i-MX-Processors/High-Availability-Boot-processes-and-only-using-code-signing/m-p/960876#M143374 simonboland 2019-10-28T06:33:15Z