Hi All,
I met a problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1.
Even I input the same CA key, I will get different SRK each time..
Is it reasonable?
I supposed that I can get the same SRK/CSF/IMG if I input the same CA.
BR,
carter
Hello,
This is implementation feature of NXP CST.
Customers can design own one ; please refer to Appendix B (Replacing the CST Backend
Implementation) of the CST User’s Guide (HABCST_UG.pdf).
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
Thanks for your quick response.
So the result is NXP's implementation feature, right?
If never modified NXP's implementation, I will get different SRK each time even input the same CA key, right?
BR,
carter
Hello,
Yes - different SRK for the same CA, since CA is top of PKI, intended just to sign SRK.
The openssl will generate different RSA key-pairs (IMG, CSF, SRK) each time.
You can take a look also to CST/doc folder to HABCST_UG.pdf, page 26, Figure 11. HAB4 PKI Tree.
A HAB4 PKI tree consists of the following keys and certificates:
• CA key: is the top most key and is only used for signing SRK certificates.
• SRK: is the root key for HAB code signing keys. The cryptographic hash of a table of SRK is burned to one-time programmable efuses to establish a root of trust. Only one of the SRKs in the table may be selected for use on the Freescale processor per reset cycle. The selection of which SRK to use is a parameter within the Install Key CSF command (see Section 5.2.2, “Install SRK”). The SRK may only be used for signing certificate data of subordinate keys.
• CSF: is a subordinate key of the SRK and is used to verify the signature across CSF commands.
• IMG: is a subordinate key of the SRK key and is used to verify signatures across product software.
Regards,
Yuri
Hi Yuri,
Got it.
Thanks for your great support.
BR,
carter