FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

About the PKI tree generated by cst tool

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

About the PKI tree generated by cst tool

‎03-08-2021 01:35 AM
635 Views
dlliweihua
Contributor III

Dear NXP experts,

I have used cst tool to generate SRK and SGK for secure boot.

I found the private keys in the "keys" folder and certificates in the "crts" folder,

and the private keys are encrypted.

My questions:

can I use the generated SGK private key to sign my private image such OTA package?

For example:

openssl dgst -sign SGK1_1_sha256_2048_65537_v3_usr_key.pem -sha256 -out privinfo.sign privinfo

And then, can I use the generated SGK  certificate to verify the signature "privinfo.sign"?

Thanks!

Best regards,

Liweihua

0 Kudos
Reply
1 Reply

‎03-10-2021 11:06 AM
615 Views
IvanRuiz
NXP Employee
NXP Employee

Hello,

Is the SGK also used for the secure boot? I suppose so. 

The SGK should be fine to use for OTA updates. Make sure to keep the private keys protected.

During OTA update you would have to extract the SGK public key from the boot signature unless the public key is being installed separately as well in the device's filesystem to access during OTA package verification.

I am not sure which chip is being targeted here but if the chip allows, you can also use mfg prot feature to ensure a secure connection between the update server and device before performing an OTA update.

 

Hope it helps!

 

BR,

Ivan.

0 Kudos
Reply