About secure boot KPI keys

changbaoma · ‎10-28-2020

When generate KPI keys tree used in secure boot by hab4_pki_tree.sh.

What is the maximum years of the PKI tree keys duration？

What would happen if this max duration is expired？

Yuri · ‎10-29-2020

Customers can try to input 200 or 1000 years.
Note: i.MX devices are qualified for 10 - 15 years on continuous operation.

Regards,
Yuri.

View solution in original post

Yuri · ‎10-28-2020

@changbaoma
Hello,

look at the following:

https://community.nxp.com/t5/i-MX-Processors/HABv4-and-certificate-expiring-date/m-p/1058869

https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-CST-3-0-1-the-validity-period-of-the-corres...

Regards,
Yuri.

changbaoma · ‎10-29-2020

Hi, Yuri

I have read your post above, but also confuse me.

What is the maximum duration can i set? 10 years? or 1000 years? or more?

If the KPI keys are valid for 10 years, can the current generated KPI keys be used to sign a new image after 10 years? Or i must to generated new KPI keys at that time.

Yuri · ‎10-29-2020

Use 10 year - no need to modify the keys after this period.

~Yuri.

changbaoma · ‎10-29-2020

Our customs may use our products 50 years，even 200 years.

During this period, we need to do equipment maintenance all the time, and will still upgrade and re-sign zImage.

can we input 200 (years) even 1000 years? @Yuri

Yuri · ‎10-29-2020

@changbaoma
Hello,

Customers can try to input 200 or 1000 years.
Note: i.MX devices are qualified for 10 - 15 years on continuous operation.

Regards,
Yuri.