2378355_en-US

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

2378355_en-US

2378355_en-US

KW45 Secure Boot with no private key

Hello,

is there a method for authenticating images signed by external PKI? Let me explain better my question.

I would like to enable secure boot by burning fuse CUST_PROD_OEMFW_AUTH_PUK with sha-256 of public key. I have the certificate with the public key provided by the OEM but I don't have the related private key because I am not the signer. I can only sign my plain test by external portal with a dedicated PKI and obtain ECDSA signature.

I was referring to the following image

alereale_0-1780922974962.png

but, assuming that i can obtain the signature, how can I know the exact tbs? in particular the data contained in the vector table?

alereale_1-1780923016190.png


I hope I have explained my question in a good way.

Thank you,

Alessandro

Re: KW45 Secure Boot with no private key

AN14670 EdgeLock 2GO Provisioning via SPSDK for MCUs

AN14624 EdgeLock 2GO Provisioning via Secure Provisioning Tool (SEC) for MCUs

AN14109 KW45 and K32W148 Secure Boot Using the SEC Tool

Re: KW45 Secure Boot with no private key

Hi @alereale 

It is possible to configure external signature provider. It is documented here: Signature provider - Generic workflows — Secure Provisioning Tool 26.03

Short story: You need to implement custom HTTP server providing the API for signing the application, the sample implementation of the server is provided as a source code.

Re: KW45 Secure Boot with no private key

Hi @marek-trmac
Thank you for your reply.
I was wondering if that is the only solution? In this way, I need to "force" the OEM to implement such a custom HTTP server.
I say that because the OEM already has a server where I can upload my binary file for signing it.
In general, can you confirm that the only way to enable Secure Boot in KW45 is to go through Secure Provisioning Tool?
Thank you very much.
Regards,
Alessandro

タグ(1)
評価なし
バージョン履歴
最終更新日:
‎06-11-2026 02:36 AM
更新者: