<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: imx8qxp secure boot keys in i.MX Processors</title>
    <link>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1750101#M215042</link>
    <description>&lt;P&gt;&lt;SPAN&gt;1)&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;Yes, That is correct.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;2) One is with&amp;nbsp;PKI tree including a subordinate SGK key, the other is not. By the way,&amp;nbsp;Which version of CST are you using?&amp;nbsp; &lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;3)&amp;nbsp; - In i.MX 8/8x family, the expected SRK HASH is of 512 bits. that means SRK HASH is 512bits generating with SRK tool in i.MX8/8X. against to that, In i.MX 8ULP/9x, the expected SRK HASH is of 256 bit. SRK HASH will be burned to fuse of SoC.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Best regards&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Harvey&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 01 Nov 2023 08:02:50 GMT</pubDate>
    <dc:creator>Harvey021</dc:creator>
    <dc:date>2023-11-01T08:02:50Z</dc:date>
    <item>
      <title>imx8qxp secure boot keys</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1748148#M214860</link>
      <description>&lt;P&gt;HI team,&amp;nbsp;&lt;/P&gt;&lt;P&gt;I am using the imx8qxp-mek board,&amp;nbsp; i was going through the below doc.&lt;/P&gt;&lt;P&gt;&lt;A href="https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/introduction_ahab.txt" target="_blank"&gt;https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/introduction_ahab.txt&lt;/A&gt;&lt;/P&gt;&lt;P&gt;I have a doubt on some points.&lt;/P&gt;&lt;P&gt;If i amusing the below configuration while generating the keys and certificate.&lt;/P&gt;&lt;P&gt;$ ./ahab_pki_tree.sh&lt;BR /&gt;...&lt;BR /&gt;Do you want to use an existing CA key (y/n)?: n&lt;BR /&gt;Do you want to use Elliptic Curve Cryptography (y/n)?: y&lt;BR /&gt;Enter length for elliptic curve to be used for PKI tree:&lt;BR /&gt;Possible values p256, p384, p521: p384&lt;BR /&gt;Enter the digest algorithm to use: sha384&lt;BR /&gt;Enter PKI tree duration (years): 5&lt;BR /&gt;&lt;STRONG&gt;Do you want the SRK certificates to have the CA flag set? (y/n)?: y&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;then I am getting the below cert.&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;release/crts$ ls&lt;BR /&gt;CA1_sha256_prime256v1_v3_ca_crt.der &lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SGK3_1_sha256_prime256v1_v3_usr_crt.der&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK2_sha256_prime256v1_v3_ca_crt.der&lt;BR /&gt;CA1_sha256_prime256v1_v3_ca_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SGK3_1_sha256_prime256v1_v3_usr_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK2_sha256_prime256v1_v3_ca_crt.pem&lt;BR /&gt;SGK1_1_sha256_prime256v1_v3_usr_crt.der&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SGK4_1_sha256_prime256v1_v3_usr_crt.der &lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK3_sha256_prime256v1_v3_ca_crt.der&lt;BR /&gt;SGK1_1_sha256_prime256v1_v3_usr_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SGK4_1_sha256_prime256v1_v3_usr_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK3_sha256_prime256v1_v3_ca_crt.pem&lt;BR /&gt;SGK2_1_sha256_prime256v1_v3_usr_crt.der&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK1_sha256_prime256v1_v3_ca_crt.der&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK4_sha256_prime256v1_v3_ca_crt.der&lt;BR /&gt;SGK2_1_sha256_prime256v1_v3_usr_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK1_sha256_prime256v1_v3_ca_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;SRK4_sha256_prime256v1_v3_ca_crt.pem&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;So, as per the document,&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;- Generating SRK Table and SRK Hash in Linux 64-bit machines:&lt;BR /&gt;- In i.MX 8/8x family, the expected SRK HASH is of 512 bit.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;$ cd ../crts/&lt;BR /&gt;$ ../linux64/bin/srktool -a -s sha384 -t SRK_1_2_3_4_table.bin \&lt;BR /&gt;-e SRK_1_2_3_4_fuse.bin -f 1 -c \&lt;BR /&gt;SRK1_sha384_secp384r1_v3_usr_crt.pem,\&lt;BR /&gt;SRK2_sha384_secp384r1_v3_usr_crt.pem,\&lt;BR /&gt;SRK3_sha384_secp384r1_v3_usr_crt.pem,\&lt;BR /&gt;SRK4_sha384_secp384r1_v3_usr_crt.pem&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;my doubts:&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;1) mentioned as&amp;nbsp;&lt;FONT color="#FF6600"&gt;&lt;STRONG&gt;expected SRK HASH is of 512 bit&lt;/STRONG&gt; &lt;/FONT&gt;then why in command using &lt;FONT color="#FF6600"&gt;&lt;STRONG&gt;sha384&lt;/STRONG&gt;&lt;/FONT&gt; ? Is this correct ?&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;2) If I am using the CA flag then we are getting the certificate as&amp;nbsp;&lt;STRONG&gt;SRK1_sha256_prime256v1_v3_ca_crt.pem&amp;nbsp;&lt;/STRONG&gt;not&amp;nbsp;&lt;STRONG&gt;SRK1_sha384_secp384r1_v3_usr_crt.pem then in this case we should use this crt&amp;nbsp;SRK&amp;lt;num&amp;gt;_sha256_prime256v1_v3_ca_crt.pem &lt;/STRONG&gt;with this command&amp;nbsp;&lt;STRONG&gt;../linux64/bin/srktool&amp;nbsp; ?&amp;nbsp;&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;3) If i have created the SRK hash table/fuse.bin using sha384 then we need to check the srk table with below cmd.&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;$ od -t x4 --endian=big SRK_1_2_3_4_fuse.bin&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;0000000 01b04697 0253376b 2066fe56 aaef9a91&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;0000020 e62e09d8 14fb7e36 d5b38d05 0982edab&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;0000040 7ada6576 2f6b4f59 1fd9347e 46e7305d&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;0000060 46e34bf0 89780bd1 c809e714 a17e2f4e&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;$ sha256sum SRK_1_2_3_4_table.bin&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;01b046970253376b2066fe56aaef9a91\&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;e62e09d814fb7e36d5b38d050982edab\&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;7ada65762f6b4f591fd9347e46e7305d\&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;46e34bf089780bd1c809e714a17e2f4e\&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="2"&gt;SRK_1_2_3_4_table.bin&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;Please clearify these doubts before I flash the keys in EEPROM&amp;nbsp;&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;Regards,&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="2"&gt;&lt;STRONG&gt;Rk&lt;/STRONG&gt;&lt;/FONT&gt;&lt;/P&gt;</description>
      <pubDate>Sun, 29 Oct 2023 07:44:50 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1748148#M214860</guid>
      <dc:creator>rakesh3</dc:creator>
      <dc:date>2023-10-29T07:44:50Z</dc:date>
    </item>
    <item>
      <title>Re: imx8qxp secure boot keys</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1750101#M215042</link>
      <description>&lt;P&gt;&lt;SPAN&gt;1)&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;Yes, That is correct.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;2) One is with&amp;nbsp;PKI tree including a subordinate SGK key, the other is not. By the way,&amp;nbsp;Which version of CST are you using?&amp;nbsp; &lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;3)&amp;nbsp; - In i.MX 8/8x family, the expected SRK HASH is of 512 bits. that means SRK HASH is 512bits generating with SRK tool in i.MX8/8X. against to that, In i.MX 8ULP/9x, the expected SRK HASH is of 256 bit. SRK HASH will be burned to fuse of SoC.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Best regards&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Harvey&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 01 Nov 2023 08:02:50 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1750101#M215042</guid>
      <dc:creator>Harvey021</dc:creator>
      <dc:date>2023-11-01T08:02:50Z</dc:date>
    </item>
    <item>
      <title>Re: imx8qxp secure boot keys</title>
      <link>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1750296#M215062</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/192970"&gt;@Harvey021&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;thanks for reply,&lt;/P&gt;&lt;P&gt;I am using the CST version 3.1.0 (&lt;A href="https://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL" target="_blank"&gt;i.MX High Assurance Boot Reference Code Signing Tool (nxp.com)&lt;/A&gt;)&lt;/P&gt;&lt;P&gt;Is this version fine ?&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have fused the keys to Soc. But getting some ahab events.&lt;/P&gt;&lt;P&gt;Could you please have a look into my this ticket.&lt;/P&gt;&lt;P&gt;&lt;A href="https://community.nxp.com/t5/i-MX-Processors/imx8qxp-mek-kernel-signing/m-p/1746343#M214706" target="_blank"&gt;https://community.nxp.com/t5/i-MX-Processors/imx8qxp-mek-kernel-signing/m-p/1746343#M214706&lt;/A&gt;&lt;/P&gt;&lt;P&gt;If possible could you please give some inputs on this query also.&lt;/P&gt;&lt;P&gt;Since I am following the&amp;nbsp; below doc and it seems straight forward but got stuck in ahab status. Please suggest some input on this.&lt;/P&gt;&lt;P&gt;&lt;A href="https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt" target="_blank"&gt;https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Rk&lt;/P&gt;</description>
      <pubDate>Wed, 01 Nov 2023 13:32:34 GMT</pubDate>
      <guid>https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-keys/m-p/1750296#M215062</guid>
      <dc:creator>rakesh3</dc:creator>
      <dc:date>2023-11-01T13:32:34Z</dc:date>
    </item>
  </channel>
</rss>

