topic HAB PKI in i.MX Processors

HAB PKI

aleksandar_niko — Thu, 19 Nov 2020 20:58:34 GMT

Hello,

I have a question about the PKI used for the HAB authentication. The CST comes with a script which generates the full PKI: CA -> SRK -> IMG/CSF. The self-signed CA sign the SRK, which in turn sign the IMG/CSF - everything clear.

However, we are fusing the SRK onto the board. Thus, my question: Why do we need the CA ie. why arent the SRK self-signed?

Thanks, cheers,

Aleksandar

Re: HAB PKI

Yuri — Fri, 20 Nov 2020 04:08:36 GMT

@aleksandar_niko
Hello,

The issue has been already discussed in

https://community.nxp.com/t5/i-MX-Processors/Confused-about-SRK/m-p/1184334

Regards,
Yuri.

Re: HAB PKI

aleksandar_niko — Mon, 30 Nov 2020 10:00:03 GMT

Hello Yuri,

some things are still unclear for me. Let me ask this way. I modified the script that creates the hab4 PKI in a way that I use my own SRK keys/crts, but the CA and the CST/IMG keys are generated by the script every time. The SRK hashes that are supposed to be fused on the board remained the same. Does this make sense?

Re: HAB PKI

Yuri — Tue, 01 Dec 2020 03:56:20 GMT

@aleksandar_niko
Hello,

SRK is used to check CST/IMG keys. It is possible to revoke one SRK in order to use
another.

Regards,
Yuri.

Re: HAB PKI

aleksandar_niko — Tue, 01 Dec 2020 08:07:26 GMT

Hi Yuri,

I dont think you understand me, it has nothing to do with the target. If I use my own SRK keys every time I create the PKI (basically I create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

Re: HAB PKI

Yuri — Tue, 01 Dec 2020 08:16:41 GMT

Hello,

> ... create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

Yes - why not?

Regards,
Yuri.

Re: HAB PKI

aleksandar_niko — Tue, 01 Dec 2020 08:20:07 GMT

Would in that case the HAB authentication work? (The SRK hashes remain the same).

Re: HAB PKI

Yuri — Tue, 01 Dec 2020 08:51:33 GMT

@aleksandar_niko

if I correctly understand the problem - the SRK (once burned) must not be changed.

~Yuri.

Re: HAB PKI

aleksandar_niko — Tue, 01 Dec 2020 10:31:03 GMT

Heres a bit longer explanation so we would be on the same page.

Step1:

We generate the whole PKI (CA, SRK, IMG/CST)
SRKs are burned (cannot be changed anymore)
HAB authentication works

Step2:

We generate a new PKI, but with SRK keys from the previous step. This means CA and IMG/CST keys are generated, but SRK are just integrated into the PKI
This means
- SRK are the same as in Step1 but are signed by different CA
- IMG/CST keys are different than in Step1 but are signed by the same SRK

Is the PKI from the Step2 valid and could you tell whether the authentication would work?

Re: HAB PKI

Yuri — Tue, 01 Dec 2020 11:31:34 GMT

@aleksandar_niko

CA is not involved in target verifications; the PKI from the Step2 is valid and the authentication will work.
SRK hash is checked.

~Yuri.