I noticed in the last version of the Code Signing Tools (CST-2.3.2) released some days ago there is a new option allowing to choose to use Elliptic Curve Cryptography when using the hab4_pki_tree for generatingthe PKI tree.
Is there support for using Elliptic Curve Crpytography in any version of HAB 4.x ?
Hello,
Generally HAB4 boot ROM in software supports the ECC and some CAAMs
(say, in i.MX6UL) provides hardware acceleration of ECC operations, but
NXP does not use it. In particular, HAB4 is based on RSA-4096.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello Yuri,
I observed that the cst generates the certificates and keys required but the tool srktool which generates the Table and the efuse doesn't support or is unable to parse the ECC based certifcates and gives out the following error:
srktool: Error - Unsupported algorithm in X.509 certificate
Does this mean that even though Boot ROM can use ECC, the tool that generates the table and efuse doesn't support it? In this case, the cst-2.3.2 update is the only solution.
Am I in the right line of thought?
Greets,
Satya
Hello,
Shortly : currently IMX HAB does not support Elliptic Curve Crpytography.
Regards,
Yuri.
Hi all,
Yesterday I've tried to check hab_status with signed u-boot and SRK's wirtten. All done with Elliptic Curve. HAB events all the time.
Same procedure with RSA 2048 bit. no HAB events on hab_status.
Is ECC still not supportet from HAB?
U-Boot 2018.11+fslc+g6e25ce6f3c (Mar 19 2020 - 12:10:20 +0000)
CPU: Freescale i.MX6SX rev1.2 at 792 MHz
Reset cause: WDOG
Board: LEP3
DRAM: 512 MiB
MMC: FSL_SDHC: 0, FSL_SDHC: 1
thanks, regards
tom