FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Confused about SRK

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Confused about SRK

Jump to solution
‎11-17-2020 01:07 AM
2,036 Views
dlliweihua
Contributor III

Hello NXP experts,

The PKT tree generated by cst tool is as  "CA->SRK->SGK(optional)",

why the burned key into fuse OTP is not CA's public key but SRK's public key?

And in the final signed image, there is no SRK's certificate, that is to say,

the procedure of using CA's private key to sign SRK's public key is only performed

on host computer to generate SRKn_XXX_XXX_XXX_v3_XXX_crt.pem,

and the SRK's public key infos (RSA Modulus/Exponent or ECDSA X/Y)

are written into SRK record in the signed image directly.

When performing seco image verification, the CA's public key never used!

Then, what is the role of CA to the end during the whole process?

Best Regards,

liweihua

 

                   

                         

0 Kudos
Reply
1 Solution

Jump to solution
‎11-18-2020 02:14 AM
1,992 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua 

    We do not use all trust levels (starting from CA) during
i.MX boot. Further optimization is Fast authentication.
It provides the option to use the SRK to verify the CSF data
and Image data directly, instead of using the CSF and IMG keys.
This reduces the number of key pair authentications that must
occur during boot stage. 

View solution in original post

Reply
5 Replies

Jump to solution
‎11-17-2020 10:01 PM
2,020 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua 
Hello,

  In general, the i.MX HAB CST approach is intended for the case, when there are following
participants:
• A Certificate Authority (CA), which is responsible for protecting the top level CA key and for
certifying lower level code signing keys.
• A Signature Authority (SA), which is responsible for performing the act of code signing.
• A Manufacturer, which is responsible for requesting digital signatures across product
software

   The CST is set of command line tools residing on a host computer which serves as both the Certificate  Authority (CA) and Signature Authority (SA) allowing manufacturers to control all aspects of the HAB  code signing process.

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎11-17-2020 10:34 PM
2,016 Views
dlliweihua
Contributor III

@Yuri 

Since CA is used to protect SRK,

SECO should use CA's public key to decrypt and get SRK's public key from SRK's certificate.

Why dose CST not write SRK's certificate into the signed image?

Why the burned key into fuse OTP is not CA's public key instead of  SRK's public key?

Regards,

liweihua

0 Kudos
Reply

Jump to solution
‎11-17-2020 11:12 PM
2,008 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua 
Hello,

  AHAB implementation may be considered as some kind of optimization.
Note, SRK fuses contain hash of SRK keys.  

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎11-18-2020 01:57 AM
2,000 Views
dlliweihua
Contributor III

@Yuri 

1.AHAB implementation may be considered as some kind of optimization.

Is this optimization equivalent to SRK self signature?

2.Note, SRK fuses contain hash of SRK keys.  

Yes,I have noted this point.

 

Thanks.

Regards,

liweihua

0 Kudos
Reply

Jump to solution
‎11-18-2020 02:14 AM
1,993 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua 

    We do not use all trust levels (starting from CA) during
i.MX boot. Further optimization is Fast authentication.
It provides the option to use the SRK to verify the CSF data
and Image data directly, instead of using the CSF and IMG keys.
This reduces the number of key pair authentications that must
occur during boot stage. 

Reply