FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

RKTH in elftosb-gui

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RKTH in elftosb-gui

‎11-10-2019 11:15 PM
1,056 Views
binjun-charles_
Contributor II

Hello all

I have some questions about cmpa and elftosb-gui tool

1. what is RKTH input in elftosb-gui->device->security tab? it is the value of ROTKH[...] in CMPA area? And how to write up to 4 ROTKH in CMPA?

2. what if  i uncheck "!!Seal security configuration!!" when i process the data?

Best regards

Charles

Labels (1)
Labels
Reply
3 Replies

‎11-14-2019 02:38 PM
838 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello,

The RKTH is  32 byte SHA-256 hash of SHA-256 hashes of up to four root public keys.Multiple root public keys are supported to allow for key revocation.

pastedImage_1.png

You may review the information on chapter 7 of the user manual for the RKTH. Please let me know if you have further qustions.

For the "Seal security configuration" checkbox, I will confirm this information and update you as soon as possible.

Best Regards,

Sabina

0 Kudos
Reply

‎11-19-2019 10:59 PM
838 Views
binjun-charles_
Contributor II

Hello Sabina

Thank you for your reply.

Now i understood it is the hash value of RKH table in signed image. 

I have a further question about up to 4 certificates supported in the LPC55xx.  Assuming that i used 4 certificates which are the certificate chain. My understanding is the first one is Root certificate and then intermediate certificates, the last one is end certificate for signing image. When verifying the image, bootloader will go through all the certificates to check if image is authorized. My question is about certificate revocation. In my case, four certificates are an integral whole of trust. Any of certificates is revoked  means image will not pass verification. Is it right? And why can we select which certificate is revoked in CFPA area?. 

And are there any documents about the detailed logic of how to verify the image using certificates in bootloader?

Thank you in advance. 

Charles

0 Kudos
Reply

‎11-23-2019 09:30 PM
838 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello Charles,

Root of Trust key is a key managed by owner of key and this hash is written in PFR (like OTP). During booting ROM will authenticate certificates chain in image. 4 RoT keys are there for revocation possibility. Each RoT is also possible to revocate through serial numbers.

I believe the following two documents will help clarify the use of the above information.

LPC55Sxx Secure Boot AN12283

LPC55S69 Security Solutions for IoT AN12278

Please let me know if you have further questions.

Best Regards,

Sabina

0 Kudos
Reply