Data covered by HAB4 CSF signature

benjaminh3 · ‎09-16-2015

What exactly is tampere-proofed by the digital signature of the CSF in case of HAB4? Documentation is not absolutely clear concerning this question. Can anyone tell me, what of this data is signed by the CSF signature? Is this anywhere documented clearly?

CSF commands
image signing certificates
image signatures

I understood that only the first of the three is really signed.

thilo_jeremias · ‎09-16-2015

The structure of the CSF description is signed.

Also the entry point that is specified in the IVT and the DCD's need to be covered by the signature.

The sample in the application note AN4581 is accurate.

benjaminh3 · ‎09-16-2015

What do you mean by "structure"?

CSF commands like Install, Authenticate, ... are one part of the binary csf.Keys and signatures for image used by those commands are stored seperatebly being referenced by addresses.

So, which of these parts are really signed by the CSF signature.

Is integrity of image signatures and certificates secured by CSF signature, or not? Or only that of commands.

This information I cannot find in the docs.

thilo_jeremias · ‎09-16-2015

The content of the CSF file ( keys, key number, description of area covered etc... gets converted into a binary structure (i.e. the certificate is included in DER form. )

This complete structure is signed.

The content of the structure describes what else is covered by the signature. I am not sure how the details of the signing work.

Depending of the HAB version there is a fast verify that only uses the one of the SRK's or the old way which uses 2 certificates (the SRK one and a separate siginign certificate). But the CSF including the certs and the refrenced memory, is verified.

Simple answer: Yes the integrity of both is secured.

Data covered by HAB4 CSF signature

Data covered by HAB4 CSF signature

i.MX6_All