topic Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux in i.MX Processors

i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

petero5 — Fri, 01 Aug 2025 13:52:43 GMT

How is the following Secure Boot / Chain of Trust scenario usually handled? What are the precedents?

In most of the documentation/examples, the scenario is simple: the same company creates the device and the application software, sells the device with application software on it, and only their keys need to be accommodated.

However in our case: we manufacture i.MX 8X based devices. Our customers develop software applications for the devices, and then sell the devices with software to their customers.

Our keys are in the AHAB SRK. But we also need to accommodate our customers keys somewhere, so that they can sign their software updates...

We supply our customers with the SDK produced by Yocto, and the Linux rootfs. Our customers don't perform Yocto builds themselves. They build their application software using the SDK.

What precedents are there for how this scenario is usually handled, in terms of secure boot and whose keys are stored where? What is the terminology for the different parties?

Thank you
Peter

Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

Harvey021 — Mon, 04 Aug 2025 06:16:21 GMT

The section <7.3 Using CST with Hardware Security Module> of CST User Guide can be a reference for you.

You can download the guide from IMX_CST_TOOL

Regards

Harvey

Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

petero5 — Tue, 05 Aug 2025 09:07:41 GMT

Hi @Harvey021 thank you, yes we are using CST with HSM.

But are still looking for best practices re chain of trust involving two companies, rather than one:

Company A manufactures the device, builds the Yocto SDK and the FIT image, U-Boot, Linux kernel and rootfs.

Company B receives the above and develops an application (and creates the application partition).

If A writes the SRKs and closes the device, then B can trust that the device and images have not been tampered with on the way to them.

But there needs to be a way to enroll B's public key for the application partition, or include that in the chain of trust?

Thank you
Peter

Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

Harvey021 — Thu, 07 Aug 2025 06:05:13 GMT

Hi @petero5

I've sent you internal system emails.

Regards

Harvey

Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

petero5 — Thu, 07 Aug 2025 08:23:56 GMT

Hi @Harvey021. Thank you. Where can I find the internal system emails please? I've looked under Private Messages / Inbox, but that is empty?

Re: i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

Harvey021 — Thu, 07 Aug 2025 09:53:46 GMT

Please let me know if you not received yet.

Regards

Harvey