Signing firmware , how to restrict ?

cancel
Showing results for 
Search instead for 
Did you mean: 

Signing firmware , how to restrict ?

Jump to solution
63 Views
Contributor I

Hi

Sorry in advance if this is a dumb question about signed firmware.

I've read the Secure Boot AN and the LPC55  user manual, but there is something i'm missing

The secure boot firmware contains the signing public key (in the certificate(s)), and is signed  with it if it got it correctly.

So far so good.

The part i dont understand is how a LPC55 is pinned to a certificate  or a set of certificates ?

i.e. how can i prevent a completely valid secure firmware e. signed by somebody else to be used ?

There is something in the PFR to deal with that i guess, but i could not figure it out.

I expected the root  public key somewhere there, so that i could be used to validate the whole chain, and reject every signature not coming from MY certificate chain but i didnt find it.

If someone could kindly redirect me to the relevant part of the doc /and or shed some light that would be appreciated

Thank you in advance

Tc

Labels (1)
0 Kudos
1 Solution
6 Views
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

View solution in original post

0 Kudos
3 Replies
6 Views
Contributor I

Hello again

Maybe just the hash of the root certificate is stored in the PFR and is checked against the one in the firmware  image ?

So only firmware(s) with the right root certificate hash are accepted ?

Thanks

Tc

0 Kudos
7 Views
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

View solution in original post

0 Kudos
6 Views
Contributor I

Thanks a lot !

Best Regards

Tres

0 Kudos