https://community.nxp.com/t5/i-MX-Processors/adding-SRK-key-s-hash-to-eFuse-later/m-p/1070692#M157286 <HTML><HEAD></HEAD><BODY><P>Hello</P><P>I am using iMX8M Mini.&nbsp;</P><P>I read on CST tool user's manual that you can add keys later, including SRK key.</P><P>I was wondering if it is possible to firstly program eFUSE with hash of only&nbsp;&nbsp;one SRK key, let's call it SRK1 key, and use device in secure mode with this key only.</P><P>Then at later time add another SRK key and program the second eFUSE correspondent to this new SRK2 key and move to use it for new images.</P><P>Are there any limitations in eFuses writing process and hash that could forbid adding hash data specific to an individual key to eFuse individually and at different times ?</P><P>I mean CST will always generate SRK table.bin map , whose hash value is calculated to SRK_fuse.bin.</P><P>But this hash is an overall sha-256 value and so it is my understanding that information about individual keys is not carried forward into the hash value, so adding a new key means changing the whole SHA-256, is this correct ?</P><P>If that is the case it is not possible to add the part of the hash correspondent&nbsp; to the new key to the fuses later.</P><P>Just to explain better, this is what we would look for :</P><P>Firstly I will add 1 SRK key&nbsp; and generate Hash and write hash to fuse.</P><P>Then at later time I will add another SRK key generate new SRK table .bin map and new hash values. Can I update hash value relative to new key to eFuses without problems?</P><P>&nbsp;</P><P>thank you</P></BODY></HTML> Thu, 23 Apr 2020 11:21:24 GMT antonio_santagi 2020-04-23T11:21:24Z https://community.nxp.com/t5/i-MX-Processors/adding-SRK-key-s-hash-to-eFuse-later/m-p/1070692#M157286 <HTML><HEAD></HEAD><BODY><P>Hello</P><P>I am using iMX8M Mini.&nbsp;</P><P>I read on CST tool user's manual that you can add keys later, including SRK key.</P><P>I was wondering if it is possible to firstly program eFUSE with hash of only&nbsp;&nbsp;one SRK key, let's call it SRK1 key, and use device in secure mode with this key only.</P><P>Then at later time add another SRK key and program the second eFUSE correspondent to this new SRK2 key and move to use it for new images.</P><P>Are there any limitations in eFuses writing process and hash that could forbid adding hash data specific to an individual key to eFuse individually and at different times ?</P><P>I mean CST will always generate SRK table.bin map , whose hash value is calculated to SRK_fuse.bin.</P><P>But this hash is an overall sha-256 value and so it is my understanding that information about individual keys is not carried forward into the hash value, so adding a new key means changing the whole SHA-256, is this correct ?</P><P>If that is the case it is not possible to add the part of the hash correspondent&nbsp; to the new key to the fuses later.</P><P>Just to explain better, this is what we would look for :</P><P>Firstly I will add 1 SRK key&nbsp; and generate Hash and write hash to fuse.</P><P>Then at later time I will add another SRK key generate new SRK table .bin map and new hash values. Can I update hash value relative to new key to eFuses without problems?</P><P>&nbsp;</P><P>thank you</P></BODY></HTML> Thu, 23 Apr 2020 11:21:24 GMT https://community.nxp.com/t5/i-MX-Processors/adding-SRK-key-s-hash-to-eFuse-later/m-p/1070692#M157286 antonio_santagi 2020-04-23T11:21:24Z https://community.nxp.com/t5/i-MX-Processors/adding-SRK-key-s-hash-to-eFuse-later/m-p/1070693#M157287 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>&nbsp; &nbsp;Your understanding basically is correct: practically it is not possible to add&nbsp;</P><P>the SRK keys because i.MX SRK fuse contains&nbsp;&nbsp;hash value of all&nbsp; SRK keys.</P><P></P><P>Regards,</P><P>Yuri.</P></BODY></HTML> Fri, 24 Apr 2020 04:10:55 GMT https://community.nxp.com/t5/i-MX-Processors/adding-SRK-key-s-hash-to-eFuse-later/m-p/1070693#M157287 Yuri 2020-04-24T04:10:55Z