Fails to create i.MX93 SRK table

tperrot

i.MX93 is using SRK hash of 256bits, but the srktool command describe in the AHAB documentation fails:

../linux64/bin/srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin \
      -e SRK_1_2_3_4_fuse.bin -f 1 -c \
      SRK1_sha384_secp384r1_v3_usr_crt.pem,\
      SRK2_sha384_secp384r1_v3_usr_crt.pem,\
      SRK3_sha384_secp384r1_v3_usr_crt.pem,\
      SRK4_sha384_secp384r1_v3_usr_crt.pem
[ERROR] SRKTOOL: Unsupported message digest algorithm

Can you advise me to fix this issue ?

tperrot

Thx, the new CST fixes my issue.

tperrot

Hello,

Thx, I used the new CST, so my issue to generate SRK 256bits no longer occurs.

Then I burned the SRK into i.MX93 fuses then the ahab_status return following events (errors):

=> ahab_status 
Lifecycle: 0x00000008, OEM Open 
0x0287fad6 
IPC = MU APD (0x2) 
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87) 
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA) 
STA = ELE_SUCCESS_IND (0xD6)

Can you advise me to fix it?

Harvey021

Which cst are you using and better share more information like how you generate pki?

Regards

Harvey

tperrot

Hello,

I'm using CST 3.1.0 that has been download from the following uri, a few days ago:

i.MX High Assurance Boot Reference Code Signing Tool

I followed instructions in AN12312 to generate pki:

 ./ahab_pki_tree.sh 
Do you want to use an existing CA key (y/n)?: n 
Do you want to use Elliptic Curve Cryptography (y/n)?: y 
Enter length for elliptic curve to be used for PKI tree: 
Possible values p256, p384, p521: p384 
Enter the digest algorithm to use: sha384 
Enter PKI tree duration (years): 10 
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

Moreover, "-d" seems only allowed with "-h4".

Harvey021

For i.MX93, should use the new CST as: IMX_CST_TOOL_NEW

Regards

Harvey