- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Cannot read certificate data, secure boot on IMX8MP
Cannot read certificate data, secure boot on IMX8MP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cannot read certificate data, secure boot on IMX8MP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a simple question about generating keys and hashes for efuses on IMX8MP. I followed the instructions in CST_UG.pdf and run ./hab4_pki_tree.sh, which with default settings based on Figure 12. Then, I follow with:
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem
,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pe
m -f 1
However, I got this error: [ERROR] SRKTOOL: Error! Failed to read certificate data from ./SRK1_sha256_2048_65537_v3_ca_crt.pem
In crts folder, I got only CA1_sha256_2048_65537_v3_ca_crt.pem and SRK1_sha256_2048_65537_v3_usr_crt.pem, not SRK3_sha256_2048_65537_v3_ca_crt.pem. What am I missing?
Thank you.
Matej I.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
Please try the command line below, then should be no such error. The Figure 12 that you refer should be the number of SRK with 1 and CA flag with n.
And the command line for SRK TABLE and SRK fuse generation that you refer are for SRK with 4 and CA flag with y.
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem -f 1
I'd would suggest to select 4 for the number of SRK and CA flag with y.
Regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if I understand, first I call:
````
./hab4_pki_tree.sh
````
with rsa, 2048, and 4 keys. Then I switch to ../crts folder and run:
````
../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1
````
which generates fuse table. Then I use Yocto build from Toradex (IMX8MP with Mallow board, tdx-reference-multimedia image). I am referring to this: https://github.com/toradex/meta-toradex-security/blob/kirkstone-6.x.y/docs/README-secure-boot-imx.md...
No more keys has to be added or generated, right? Now I build the yocto and in Uboot console, I fuse the keys, e.g., like this:
fuse prog -y 6 0 0x8AE322B2 fuse prog -y 6 1 0xDF2939A3 fuse prog -y 6 2 0x9DA80323 fuse prog -y 6 3 0x3B024EF2 fuse prog -y 7 0 0xA53091 fuse prog -y 7 1 0x55304E7A fuse prog -y 7 2 0xFB8FF259 fuse prog -y 7 3 0x9CE57582
Right now, the build fails but it may be due to yocto configuration. Is the process of generating keys for fusing correct?
Thank you.
Best regards
Matej I.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it‘s usually not necessary to add more. The process of generating keys for fusing is correct.
For build issue, please raise a case to Toradex if you need further assistance.
Regards
Harvey
