Signing firmware , how to restrict ?

cancel
Showing results for 
Search instead for 
Did you mean: 

Signing firmware , how to restrict ?

Jump to solution
130 Views
Contributor III

Hi

Sorry in advance if this is a dumb question about signed firmware.

I've read the Secure Boot AN and the LPC55  user manual, but there is something i'm missing

The secure boot firmware contains the signing public key (in the certificate(s)), and is signed  with it if it got it correctly.

So far so good.

The part i dont understand is how a LPC55 is pinned to a certificate  or a set of certificates ?

i.e. how can i prevent a completely valid secure firmware e. signed by somebody else to be used ?

There is something in the PFR to deal with that i guess, but i could not figure it out.

I expected the root  public key somewhere there, so that i could be used to validate the whole chain, and reject every signature not coming from MY certificate chain but i didnt find it.

If someone could kindly redirect me to the relevant part of the doc /and or shed some light that would be appreciated

Thank you in advance

Tc

Labels (1)
0 Kudos
1 Solution
73 Views
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

View solution in original post

0 Kudos
3 Replies
73 Views
Contributor III

Hello again

Maybe just the hash of the root certificate is stored in the PFR and is checked against the one in the firmware  image ?

So only firmware(s) with the right root certificate hash are accepted ?

Thanks

Tc

0 Kudos
74 Views
NXP TechSupport
NXP TechSupport

Hello Tres,

Yes, pay attention in "5.5CMPA page preparation" of secure boot AN, program RKTH 

to chip, this hash is generated from certificates during signing process.  So it corresponding to your private key and certificate.

pastedImage_1.png

Regards,

Alice

View solution in original post

0 Kudos
73 Views
Contributor III

Thanks a lot !

Best Regards

Tres

0 Kudos