帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

RKTH in elftosb-gui

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

RKTH in elftosb-gui

‎11-10-2019 11:15 PM
2,156 次查看
binjun-charles_
Contributor II

Hello all

I have some questions about cmpa and elftosb-gui tool

1. what is RKTH input in elftosb-gui->device->security tab? it is the value of ROTKH[...] in CMPA area? And how to write up to 4 ROTKH in CMPA?

2. what if  i uncheck "!!Seal security configuration!!" when i process the data?

Best regards

Charles

标签 (1)
标签
回复
3 回复数

‎11-14-2019 02:38 PM
1,938 次查看
Sabina_Bruce
NXP Employee
NXP Employee

Hello,

The RKTH is  32 byte SHA-256 hash of SHA-256 hashes of up to four root public keys.Multiple root public keys are supported to allow for key revocation.

pastedImage_1.png

You may review the information on chapter 7 of the user manual for the RKTH. Please let me know if you have further qustions.

For the "Seal security configuration" checkbox, I will confirm this information and update you as soon as possible.

Best Regards,

Sabina

0 项奖励
回复

‎11-19-2019 10:59 PM
1,938 次查看
binjun-charles_
Contributor II

Hello Sabina

Thank you for your reply.

Now i understood it is the hash value of RKH table in signed image. 

I have a further question about up to 4 certificates supported in the LPC55xx.  Assuming that i used 4 certificates which are the certificate chain. My understanding is the first one is Root certificate and then intermediate certificates, the last one is end certificate for signing image. When verifying the image, bootloader will go through all the certificates to check if image is authorized. My question is about certificate revocation. In my case, four certificates are an integral whole of trust. Any of certificates is revoked  means image will not pass verification. Is it right? And why can we select which certificate is revoked in CFPA area?. 

And are there any documents about the detailed logic of how to verify the image using certificates in bootloader?

Thank you in advance. 

Charles

0 项奖励
回复

‎11-23-2019 09:30 PM
1,938 次查看
Sabina_Bruce
NXP Employee
NXP Employee

Hello Charles,

Root of Trust key is a key managed by owner of key and this hash is written in PFR (like OTP). During booting ROM will authenticate certificates chain in image. 4 RoT keys are there for revocation possibility. Each RoT is also possible to revocate through serial numbers.

I believe the following two documents will help clarify the use of the above information.

LPC55Sxx Secure Boot AN12283

LPC55S69 Security Solutions for IoT AN12278

Please let me know if you have further questions.

Best Regards,

Sabina

0 项奖励
回复