Fails to create i.MX93 SRK table

tperrot · ‎06-26-2024

i.MX93 is using SRK hash of 256bits, but the srktool command describe in the AHAB documentation fails:

../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin \
      -e SRK_1_2_3_4_fuse.bin -f 1 -c \
      SRK1_sha384_secp384r1_v3_usr_crt.pem,\
      SRK2_sha384_secp384r1_v3_usr_crt.pem,\
      SRK3_sha384_secp384r1_v3_usr_crt.pem,\
      SRK4_sha384_secp384r1_v3_usr_crt.pem
[ERROR] SRKTOOL: Unsupported message digest algorithm

Can you advise me to fix this issue ?

tperrot · ‎07-03-2024

Thx, the new CST fixes my issue.

tperrot · ‎07-01-2024

Hello,

Thx, I used the new CST, so my issue to generate SRK 256bits no longer occurs.

Then I burned the SRK into i.MX93 fuses then the ahab_status return following events (errors):

=> ahab_status 
Lifecycle: 0x00000008, OEM Open 
0x0287fad6 
IPC = MU APD (0x2) 
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87) 
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA) 
STA = ELE_SUCCESS_IND (0xD6)

Can you advise me to fix it?

Harvey021 · ‎06-26-2024

Which cst are you using and better share more information like how you generate pki?

Regards

Harvey

tperrot · ‎06-27-2024

Hello,

I'm using CST 3.1.0 that has been download from the following uri, a few days ago:

i.MX High Assurance Boot Reference Code Signing Tool

I followed instructions in AN12312 to generate pki:

 ./ahab_pki_tree.sh 
Do you want to use an existing CA key (y/n)?: n 
Do you want to use Elliptic Curve Cryptography (y/n)?: y 
Enter length for elliptic curve to be used for PKI tree: 
Possible values p256, p384, p521: p384 
Enter the digest algorithm to use: sha384 
Enter PKI tree duration (years): 10 
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

Moreover, "-d" seems only allowed with "-h4".

Harvey021 · ‎06-27-2024

For i.MX93, should use the new CST as: IMX_CST_TOOL_NEW

Regards

Harvey