https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054999#M40853 <HTML><HEAD></HEAD><BODY><P>Thanks a lot !</P><P></P><P>Best Regards</P><P>Tres</P></BODY></HTML> Tue, 04 Aug 2020 11:26:53 GMT trescurieux 2020-08-04T11:26:53Z https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054996#M40850 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Sorry in advance if this is a dumb question about signed firmware.</P><P></P><P>I've read the Secure Boot AN and the LPC55&nbsp; user manual, but there is something i'm missing</P><P></P><P>The secure boot firmware contains the signing public key (in the certificate(s)), and is signed&nbsp; with it if it got it correctly.</P><P>So far so good.</P><P></P><P>The part i dont understand is how a LPC55 is pinned to a certificate&nbsp; or a set of certificates ?</P><P>i.e. how can i prevent a completely valid secure firmware e. signed by somebody else to be used ?</P><P></P><P>There is something in the PFR to deal with that i guess, but i could not figure it out.</P><P>I expected the root&nbsp; public key somewhere there, so that i could be used to validate the whole chain, and reject every signature not coming from MY certificate chain but i didnt find it.</P><P></P><P>If someone could kindly redirect me to the relevant part of the doc /and or shed some light that would be appreciated</P><P></P><P></P><P>Thank you in advance</P><P>Tc</P></BODY></HTML> Mon, 03 Aug 2020 14:49:14 GMT https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054996#M40850 trescurieux 2020-08-03T14:49:14Z https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054997#M40851 <HTML><HEAD></HEAD><BODY><P>Hello again</P><P>Maybe just the hash of the root certificate is stored in the PFR and is checked against the one in the firmware&nbsp; image ?</P><P>So only firmware(s) with the right root certificate hash are accepted ?</P><P></P><P>Thanks</P><P>Tc</P></BODY></HTML> Mon, 03 Aug 2020 15:41:51 GMT https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054997#M40851 trescurieux 2020-08-03T15:41:51Z https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054998#M40852 <HTML><HEAD></HEAD><BODY><P>Hello Tres,</P><P>Yes, pay attention in "<SPAN style="font-size: 20px;">5.5</SPAN><SPAN style="font-size: 20px;">CMPA page preparation" of secure boot AN, program RKTH&nbsp;</SPAN></P><P><SPAN style="font-size: 20px;">to chip, this hash is generated from certificates during signing process.&nbsp; So it corresponding to your private key and certificate.</SPAN></P><P><SPAN style="font-size: 20px;"><span class="lia-inline-image-display-wrapper" image-alt="pastedImage_1.png"><img src="https://community.nxp.com/t5/image/serverpage/image-id/109422iA79A9B4488B6C8A3/image-size/large?v=v2&amp;px=999" role="button" title="pastedImage_1.png" alt="pastedImage_1.png" /></span></SPAN></P><P></P><P><SPAN style="font-size: 20px;">Regards,</SPAN></P><P><SPAN style="font-size: 20px;">Alice</SPAN></P></BODY></HTML> Tue, 04 Aug 2020 08:14:47 GMT https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054998#M40852 Alice_Yang 2020-08-04T08:14:47Z https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054999#M40853 <HTML><HEAD></HEAD><BODY><P>Thanks a lot !</P><P></P><P>Best Regards</P><P>Tres</P></BODY></HTML> Tue, 04 Aug 2020 11:26:53 GMT https://community.nxp.com/t5/LPC-Microcontrollers/Signing-firmware-how-to-restrict/m-p/1054999#M40853 trescurieux 2020-08-04T11:26:53Z