Fails to create i.MX93 SRK table

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fails to create i.MX93 SRK table

998 Views
tperrot
Contributor II

i.MX93 is using SRK hash of 256bits, but the srktool command describe in the AHAB documentation fails:

../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin \
      -e SRK_1_2_3_4_fuse.bin -f 1 -c \
      SRK1_sha384_secp384r1_v3_usr_crt.pem,\
      SRK2_sha384_secp384r1_v3_usr_crt.pem,\
      SRK3_sha384_secp384r1_v3_usr_crt.pem,\
      SRK4_sha384_secp384r1_v3_usr_crt.pem
[ERROR] SRKTOOL: Unsupported message digest algorithm

Can you advise me to fix this issue ?

Tags (5)
0 Kudos
Reply
5 Replies

832 Views
tperrot
Contributor II

Thx, the new CST fixes my issue.

883 Views
tperrot
Contributor II

Hello,

Thx, I used the new CST, so my issue to generate SRK 256bits no longer occurs.

Then I burned the SRK into i.MX93 fuses then the ahab_status return following events (errors):

=> ahab_status 
Lifecycle: 0x00000008, OEM Open
0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)

 Can you advise me to fix it?

0 Kudos
Reply

971 Views
Harvey021
NXP TechSupport
NXP TechSupport

Which cst are you using and better share more information like how you generate pki?

 

Regards

Harvey 

0 Kudos
Reply

960 Views
tperrot
Contributor II

Hello,

I'm using CST 3.1.0 that has been download from the following uri, a few days ago:

i.MX High Assurance Boot Reference Code Signing Tool

I followed instructions in AN12312 to generate pki:

 ./ahab_pki_tree.sh 
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: y
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 10
Do you want the SRK certificates to have the CA flag set? (y/n)?: n


Moreover, "-d" seems only allowed with "-h4".

0 Kudos
Reply

953 Views
Harvey021
NXP TechSupport
NXP TechSupport

For i.MX93, should use the new CST as: IMX_CST_TOOL_NEW 

 

Regards

Harvey

0 Kudos
Reply