- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- QorIQ处理平台
- :
- Layerscape
- :
- LS1043A chain of trust (secure boot)
LS1043A chain of trust (secure boot)
LS1043A chain of trust (secure boot)
Respected Folks,
I am adding chain of trust, full secure boot in my LS1043A device.
I have a following queries on the same.
- My first stage bootloader will be signed and authenticated with an OTP fuse.
Q1- is it possible to use ECDSA instead of RSA keys, the bootloader is only signed not the encrypted right?
Q2- How will the second stage bootloader be authenticated using CAAM, where should the keys be stored for the same?
Q3- FIT image authentication will be done by keys in second stage bootloader, how can I encrypt second stage bootloader using CAAM?
Thanks in advance.
##LS1043A #Secureboo
Thanks a lot for the response.
I still have a query on this.Q2- How will the second stage bootloader be authenticated using CAAM,
where should the keys be stored for the same?
Answer: When the SoC has the module CAAM the secure key will be stored in a non-volatile storage.
Follow-up question : after enabling CAAM, do I need to make any changes in the first stage bootloader to verify second stage bootloader?
Can you tell me how the second stage bootloader is verified?
Q1- is it possible to use ECDSA instead of RSA keys? Not for the LS1043
the bootloader is only signed not the encrypted right?
Answ: You are right.
On the other hand, to preserve confidentiality of the images, the images can be encrypted and stored as blobs in the flash memory of the device. The validated ESBC U-Boot image can use Cryptographic blob mechanism to create a chain of trust with confidentiality.
For details about Cryptographic blob mechanism and chain of trust with confidentiality, see "Cryptographic blobs" in QorIQ Trust Architecture 3.0 User Guide.
Q2- How will the second stage bootloader be authenticated using CAAM,
where should the keys be stored for the same?
Answ: When the SoC has the module CAAM the secure key will be stored in a non-volatile storage.
Q3- FIT image authentication will be done by keys in second stage bootloader,
how can I encrypt second stage bootloader using CAAM?
Answ: the CAAM is intended to be used at user-land not for bootloader stages.
