FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

LS1043A chain of trust (secure boot)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LS1043A chain of trust (secure boot)

‎12-19-2023 05:09 AM
1,280 Views
gandhi_999
Contributor III

Respected Folks,

I am adding chain of trust, full secure boot in my LS1043A device.

I have a following queries on the same.
- My first stage bootloader will be signed and authenticated with an OTP fuse.

Q1- is it possible to use ECDSA instead of RSA keys, the bootloader is only signed not the encrypted right?

Q2- How will the second stage bootloader be authenticated using CAAM, where should the keys be stored for the same?

Q3- FIT image authentication will be done by keys in second stage bootloader, how can I encrypt second stage bootloader using CAAM?


Thanks in advance.
##LS1043A #Secureboo

Labels (1)
Labels
Tags (2)
0 Kudos
Reply
2 Replies

‎01-08-2024 05:28 AM
1,167 Views
gandhi_999
Contributor III

Thanks a lot for the response.

I still have a query on this. 

Q2- How will the second stage bootloader be authenticated using CAAM,

where should the keys be stored for the same?

Answer: When the SoC has the module CAAM the secure key will be stored in a non-volatile storage.


Follow-up question : after enabling CAAM, do I need to make any changes in the first stage bootloader to verify second stage bootloader?
Can you tell me how the second stage bootloader is verified?


 

0 Kudos
Reply

‎12-21-2023 12:44 PM
1,244 Views
LFGP
NXP TechSupport
NXP TechSupport

Q1- is it possible to use ECDSA instead of RSA keys? Not for the LS1043

the bootloader is only signed not the encrypted right?

Answ: You are right.

On the other hand, to preserve confidentiality of the images, the images can be encrypted and stored as blobs in the flash memory of the device. The validated ESBC U-Boot image can use Cryptographic blob mechanism to create a chain of trust with confidentiality.

For details about Cryptographic blob mechanism and chain of trust with confidentiality, see "Cryptographic blobs" in QorIQ Trust Architecture 3.0 User Guide.

 

Q2- How will the second stage bootloader be authenticated using CAAM,

where should the keys be stored for the same?

Answ: When the SoC has the module CAAM the secure key will be stored in a non-volatile storage.

Q3- FIT image authentication will be done by keys in second stage bootloader,

how can I encrypt second stage bootloader using CAAM?

Answ: the CAAM is intended to be used at user-land not for bootloader stages.

0 Kudos
Reply