Hello all
I have some questions about cmpa and elftosb-gui tool
1. what is RKTH input in elftosb-gui->device->security tab? it is the value of ROTKH[...] in CMPA area? And how to write up to 4 ROTKH in CMPA?
2. what if i uncheck "!!Seal security configuration!!" when i process the data?
Best regards
Charles
Hello,
The RKTH is 32 byte SHA-256 hash of SHA-256 hashes of up to four root public keys.Multiple root public keys are supported to allow for key revocation.
You may review the information on chapter 7 of the user manual for the RKTH. Please let me know if you have further qustions.
For the "Seal security configuration" checkbox, I will confirm this information and update you as soon as possible.
Best Regards,
Sabina
Hello Sabina
Thank you for your reply.
Now i understood it is the hash value of RKH table in signed image.
I have a further question about up to 4 certificates supported in the LPC55xx. Assuming that i used 4 certificates which are the certificate chain. My understanding is the first one is Root certificate and then intermediate certificates, the last one is end certificate for signing image. When verifying the image, bootloader will go through all the certificates to check if image is authorized. My question is about certificate revocation. In my case, four certificates are an integral whole of trust. Any of certificates is revoked means image will not pass verification. Is it right? And why can we select which certificate is revoked in CFPA area?.
And are there any documents about the detailed logic of how to verify the image using certificates in bootloader?
Thank you in advance.
Charles
Hello Charles,
Root of Trust key is a key managed by owner of key and this hash is written in PFR (like OTP). During booting ROM will authenticate certificates chain in image. 4 RoT keys are there for revocation possibility. Each RoT is also possible to revocate through serial numbers.
I believe the following two documents will help clarify the use of the above information.
LPC55S69 Security Solutions for IoT AN12278
Please let me know if you have further questions.
Best Regards,
Sabina