https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013460#M39676 <HTML><HEAD></HEAD><BODY><P>Hello,</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><SPAN style="color: #51626f; background-color: #ffffff;"><SPAN>&nbsp;</SPAN>If I put any revocation IDs anywhere else up in the chain, they would be ignored.</SPAN></BLOCKQUOTE><P>Yes this is correct, it has to be the final certificate.</P><P></P><P>Not a problem, glad to help!</P><P>If you have any questions in the future don't hesitate to contact us again.</P><P>&nbsp;</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Best Regards,</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Sabina</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">-----------------------------------------------------------------------------------------------------------------------</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Note: If this post answers your question, please click the Correct Answer button. Thank you!</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">-----------------------------------------------------------------------------------------------------------------------&nbsp;</P></BODY></HTML> Fri, 27 Mar 2020 04:03:43 GMT Sabina_Bruce 2020-03-27T04:03:43Z https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013457#M39673 <HTML><HEAD></HEAD><BODY><P>I've read through <A href="https://www.nxp.com/docs/en/application-note/AN12283.pdf">Application Note 12283</A>&nbsp;(LPC55Sxx Secure Boot) and am trying to work through exactly how a certificate chain, if it is used, is walked on the processor.&nbsp; My confusion is that the App Note only ever talks about one certificate - the root.&nbsp; It mentions in section 3.4 that you can and should create a certificate chain, but then, how does the ROM validate the chain?&nbsp; Figure 5 (Signed image format) only shows one x509 certificate that would be included in the firmware file.&nbsp; What if my chain has a root -&gt; intermediary -&gt; end entity?&nbsp; Is it expecting that one x509 certificate to include the entire chain in it?&nbsp; If so, are there any length restrictions?&nbsp; This just isn't clear :-(</P><P></P><P>Also, when generating certificate chains, there is the sequence id that has the revocation id, but each cert in the chain could have their own sequence numbers.&nbsp; What is best practice here?&nbsp; Should all of the sequence numbers in the chain be the same for the purpose of anti-rollback?&nbsp; Or, is only the end entity sequence number checked?</P><P></P><P>I'm sorry if these questions seem silly, but considering the probability of me&nbsp;bricking&nbsp;my dev kit is high if I make a mistake in this stuff, I'd rather ask silly questions than be left with a paperweight.</P></BODY></HTML> Wed, 25 Mar 2020 01:02:58 GMT https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013457#M39673 jlongo 2020-03-25T01:02:58Z https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013458#M39674 <HTML><HEAD></HEAD><BODY><P>Hello Jeffrey,</P><P>Hope you are doing well.</P><P>I recommend to take a look at Chapter 7 of the&nbsp;<A href="https://www.nxp.com/webapp/Download?colCode=UM11126">reference manual</A>. It explains with the details of what you are looking for, such as the structure, length, considerations, etc.</P><P>Specifically, section 7.3.5 where you will find the certificate block structure and its requirements and recommendations.</P><P><span class="lia-inline-image-display-wrapper" image-alt="pastedImage_1.png"><img src="https://community.nxp.com/t5/image/serverpage/image-id/103520i32A5458001565210/image-size/large?v=v2&amp;px=999" role="button" title="pastedImage_1.png" alt="pastedImage_1.png" /></span></P><P></P><P></P><P>For the revocation ID, The x509 serial number field in the <STRONG>image signing certificate</STRONG> is used the following way: byte 0<BR />shall be 0x3c, byte 1 shall be 0xc3, byte 2 and byte 3 form an unsigned 16-bit integer whose value is compared with the IMAGE_KEY_REVOKE value in the PFR. On mismatch, the image authentication process will fail.</P><P>The image signing certificate is the final certificate of the certificate table. It's not a problem if you use one certificate, for more details on the structure you can refer to the last part of section&nbsp;7.3.5.2.</P><P></P><P>Hope this helps!</P><P></P><P>If you need any further information or have any further questions, please do not hesitate to get back to me.&nbsp;</P><P>Best Regards,</P><P>Sabina</P><P>-----------------------------------------------------------------------------------------------------------------------</P><P>Note: If this post answers your question, please click the Correct Answer button. Thank you!</P><P>-----------------------------------------------------------------------------------------------------------------------&nbsp;</P></BODY></HTML> Thu, 26 Mar 2020 16:13:28 GMT https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013458#M39674 Sabina_Bruce 2020-03-26T16:13:28Z https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013459#M39675 <HTML><HEAD></HEAD><BODY><P><A class="jx-jive-macro-user" href="https://community.nxp.com/people/sabinabruce">sabinabruce</A>,</P><P></P><P>Thanks for the pointer to the additional information in the UM.&nbsp; The explanation in the user manual that the "Certificate" is really a "Certificate Table" where it can contain multiple certificates was immensely helpful and cleared up a lot of my confusion around that.</P><P></P><P>And, from what I understand from your explanation, it is the revocation ID in the end entity (image signing certificate) that is used to enforce rollback protection.&nbsp; If I put any revocation IDs anywhere else up in the chain, they would be ignored.</P><P></P><P>If you get a chance to confirm my understanding, that would be great. Thanks so much for your reply!!!</P></BODY></HTML> Thu, 26 Mar 2020 16:23:43 GMT https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013459#M39675 jlongo 2020-03-26T16:23:43Z https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013460#M39676 <HTML><HEAD></HEAD><BODY><P>Hello,</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><SPAN style="color: #51626f; background-color: #ffffff;"><SPAN>&nbsp;</SPAN>If I put any revocation IDs anywhere else up in the chain, they would be ignored.</SPAN></BLOCKQUOTE><P>Yes this is correct, it has to be the final certificate.</P><P></P><P>Not a problem, glad to help!</P><P>If you have any questions in the future don't hesitate to contact us again.</P><P>&nbsp;</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Best Regards,</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Sabina</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">-----------------------------------------------------------------------------------------------------------------------</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">Note: If this post answers your question, please click the Correct Answer button. Thank you!</P><P style="color: #51626f; background-color: #ffffff; border: 0px;">-----------------------------------------------------------------------------------------------------------------------&nbsp;</P></BODY></HTML> Fri, 27 Mar 2020 04:03:43 GMT https://community.nxp.com/t5/LPC-Microcontrollers/LPC55S69-Signed-Image-Boot-Questions-on-using-Certificate-Chains/m-p/1013460#M39676 Sabina_Bruce 2020-03-27T04:03:43Z