Hello,
is there a method for authenticating images signed by external PKI? Let me explain better my question.
I would like to enable secure boot by burning fuse CUST_PROD_OEMFW_AUTH_PUK with sha-256 of public key. I have the certificate with the public key provided by the OEM but I don't have the related private key because I am not the signer. I can only sign my plain test by external portal with a dedicated PKI and obtain ECDSA signature.
I was referring to the following image
but, assuming that i can obtain the signature, how can I know the exact tbs? in particular the data contained in the vector table?
I hope I have explained my question in a good way.
Thank you,
Alessandro
AN14670 EdgeLock 2GO Provisioning via SPSDK for MCUs
AN14624 EdgeLock 2GO Provisioning via Secure Provisioning Tool (SEC) for MCUs
AN14109 KW45 and K32W148 Secure Boot Using the SEC Tool
Hi @alereale
It is possible to configure external signature provider. It is documented here: Signature provider - Generic workflows — Secure Provisioning Tool 26.03
Short story: You need to implement custom HTTP server providing the API for signing the application, the sample implementation of the server is provided as a source code.
Hi @marek-trmac
Thank you for your reply.
I was wondering if that is the only solution? In this way, I need to "force" the OEM to implement such a custom HTTP server.
I say that because the OEM already has a server where I can upload my binary file for signing it.
In general, can you confirm that the only way to enable Secure Boot in KW45 is to go through Secure Provisioning Tool?
Thank you very much.
Regards,
Alessandro