Hello,
If I use a list of public keys (by enabling "Srk table flag" in CSF header), and generate the appropriate SRKH value for programming in fuse, does this mean that every ISBC CSF header from now on must include the same list of all public keys and in the same order?
Is there an example for running uni_sign tool with such configuration? The document "QorIQ SDK v2.0-1703 Documentation" only includes examples for a single key.
Thank you,
Dmitri
已解决! 转到解答。
Yes, that means all your T2080 with the same SRKH value must use the same
list of all public keys. However, you can choose to use any one of the
maximum four keys. i.e. Since the SRKH is based on your keys, once the SRKH
is burned, you cannot add more keys to the list as it will alter the SRKH
value and make the checking fail.
In any of the input_files in the CST folder(e.g.
cst/input_files/uni_sign/t1_t2_t4/input_uboot_nor_secure) , you can:
#####
# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>
# USAGE (for 1040/C290/9164/4240): PRI_KEY = <key1.pri>, <key2.pri>,
<key3.pri>, <key4.pri>
# PRI_KEY (Default private key :srk.pri) - [Optional]
PRI_KEY=srk1.pri, srk2.pri, srk3.pri, srk4.pri
# PUB_KEY (Default public key :srk.pub) - [Optional]
PUB_KEY=srk1.pub, srk2.pub, srk3.pub, srk4.pub,
# Please provide KEY_SELECT(between 1 to 4) (Required for
1040/C290/9164/4240 only) - [Optional]
KEY_SELECT=3
#####
In this case, it will use srk3.pri and srk3.pub to sign the image. If later
you revoke key #3, then the secure boot will fail with the image you sign by
srk3.pri/pub. You still can use key1,2, or 4 to sign image and run on your
T2080.
Yes, that means all your T2080 with the same SRKH value must use the same
list of all public keys. However, you can choose to use any one of the
maximum four keys. i.e. Since the SRKH is based on your keys, once the SRKH
is burned, you cannot add more keys to the list as it will alter the SRKH
value and make the checking fail.
In any of the input_files in the CST folder(e.g.
cst/input_files/uni_sign/t1_t2_t4/input_uboot_nor_secure) , you can:
#####
# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>
# USAGE (for 1040/C290/9164/4240): PRI_KEY = <key1.pri>, <key2.pri>,
<key3.pri>, <key4.pri>
# PRI_KEY (Default private key :srk.pri) - [Optional]
PRI_KEY=srk1.pri, srk2.pri, srk3.pri, srk4.pri
# PUB_KEY (Default public key :srk.pub) - [Optional]
PUB_KEY=srk1.pub, srk2.pub, srk3.pub, srk4.pub,
# Please provide KEY_SELECT(between 1 to 4) (Required for
1040/C290/9164/4240 only) - [Optional]
KEY_SELECT=3
#####
In this case, it will use srk3.pri and srk3.pub to sign the image. If later
you revoke key #3, then the secure boot will fail with the image you sign by
srk3.pri/pub. You still can use key1,2, or 4 to sign image and run on your
T2080.