A problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1

1,300 Views
tsung-chihwang
Contributor III

Hi All,

I met a problem about generating PKI tree via hab4_pki_tree.sh of cst-2.3.1.

Even I input the same CA key, I will get different SRK each time..

Is it reasonable?

I supposed that I can get the same SRK/CSF/IMG if I input the same CA.

BR,

carter

Labels (1)
Tags (2)
4 Replies

1,042 Views
Yuri
NXP Employee
NXP Employee

Hello,

    This is implementation feature of NXP CST.

Customers can design own  one ; please refer to Appendix B (Replacing the CST Backend

Implementation) of the CST User’s Guide (HABCST_UG.pdf).

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,042 Views
tsung-chihwang
Contributor III

Hi Yuri,

Thanks for your quick response.

So the result is NXP's implementation feature, right?

If never modified NXP's implementation, I will get different SRK each time even input the same CA key, right?

BR,

carter

0 Kudos
Reply

1,042 Views
Yuri
NXP Employee
NXP Employee

Hello,

 Yes - different SRK for the same CA, since CA is top of PKI, intended just to sign SRK.

The openssl will generate different RSA key-pairs (IMG, CSF, SRK) each time. 

 

You can take a look also to CST/doc folder to HABCST_UG.pdf, page 26, Figure 11. HAB4 PKI Tree.

 

A HAB4 PKI tree consists of the following keys and certificates:
• CA key: is the top most key and is only used for signing SRK certificates.
• SRK: is the root key for HAB code signing keys. The cryptographic hash of a table of SRK is burned to one-time programmable efuses to establish a root of trust. Only one of the SRKs in the table may be selected for use on the Freescale processor per reset cycle. The selection of which SRK to use is a parameter within the Install Key CSF command (see Section 5.2.2, “Install SRK”). The SRK may only be used for signing certificate data of subordinate keys.
• CSF: is a subordinate key of the SRK and is used to verify the signature across CSF commands.
• IMG: is a subordinate key of the SRK key and is used to verify signatures across product software.

Regards,

Yuri

1,042 Views
tsung-chihwang
Contributor III

Hi Yuri,

Got it.

Thanks for your great support.

BR,

carter

0 Kudos
Reply