About the PKI tree generated by cst tool

dlliweihua · ‎03-08-2021

Dear NXP experts,

I have used cst tool to generate SRK and SGK for secure boot.

I found the private keys in the "keys" folder and certificates in the "crts" folder,

and the private keys are encrypted.

My questions:

can I use the generated SGK private key to sign my private image such OTA package?

For example:

openssl dgst -sign SGK1_1_sha256_2048_65537_v3_usr_key.pem -sha256 -out privinfo.sign privinfo

And then, can I use the generated SGK certificate to verify the signature "privinfo.sign"?

Thanks!

Best regards,

Liweihua

IvanRuiz · ‎03-10-2021

Hello,

Is the SGK also used for the secure boot? I suppose so.

The SGK should be fine to use for OTA updates. Make sure to keep the private keys protected.

During OTA update you would have to extract the SGK public key from the boot signature unless the public key is being installed separately as well in the device's filesystem to access during OTA package verification.

I am not sure which chip is being targeted here but if the chip allows, you can also use mfg prot feature to ensure a secure connection between the update server and device before performing an OTA update.

Hope it helps!

BR,

Ivan.