CST to create signature for digest from HASH of firmware image

LanBui · ‎08-31-2021

Dear NXP supporter,

We are developing security boot solution for our product using I.MX8DQX device. However, from: AN12312.pdf document, we understand that signature is calculated from container header (container header as signed data) and not form FW image as following figure:

Is this possible to change to calculate HASH521 from FW image and used as input for signaure?

Yuri · ‎09-09-2021

@LanBui
Hello,

The container signature, shown on the picture, is verified against the SGK key
certificate, which is then verified against the SRK table. Images are not checked
at this stage. But the images are checked / authenticated, using the SGK, later,
as shown on Figure 2 (Secure boot flow overview) of the app note.

Regards,
Yuri.

CST to create signature for digest from HASH of firmware image

CST to create signature for digest from HASH of firmware image

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus