i.MX93 is using SRK hash of 256bits, but the srktool command describe in the AHAB documentation fails:
../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin \
-e SRK_1_2_3_4_fuse.bin -f 1 -c \
SRK1_sha384_secp384r1_v3_usr_crt.pem,\
SRK2_sha384_secp384r1_v3_usr_crt.pem,\
SRK3_sha384_secp384r1_v3_usr_crt.pem,\
SRK4_sha384_secp384r1_v3_usr_crt.pem
[ERROR] SRKTOOL: Unsupported message digest algorithm
Can you advise me to fix this issue ?
Hello,
Thx, I used the new CST, so my issue to generate SRK 256bits no longer occurs.
Then I burned the SRK into i.MX93 fuses then the ahab_status return following events (errors):
=> ahab_status
Lifecycle: 0x00000008, OEM Open
0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)
Can you advise me to fix it?
Hello,
I'm using CST 3.1.0 that has been download from the following uri, a few days ago:
i.MX High Assurance Boot Reference Code Signing Tool
I followed instructions in AN12312 to generate pki:
./ahab_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: y
Enter length for elliptic curve to be used for PKI tree:
Possible values p256, p384, p521: p384
Enter the digest algorithm to use: sha384
Enter PKI tree duration (years): 10
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
Moreover, "-d" seems only allowed with "-h4".