FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB Certificate Hierarchy

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HAB Certificate Hierarchy

‎06-17-2015 04:37 AM
710 Views
benjaminh3
Contributor I

I am just digging through the documentation of the i.MX6 to find out what is technically possible concerning the use of multiple signature certificates. At the section Install Key Command in HAB API doc and CSF Language Description in CST doc I found

"The user is responsible for managing the key slots in the internal key stores to establish the desired public or secret key hierarchy and determine the keys used in authentication operations."

Though is it technically possible (independent if it's worth doing that) to implement a hierarchy of signature certificates where documentation just prints the IMG1 cert? This is how I understand the parameters verificationIndex and targetIndex, but I think documentation is too short to be sure.

The following quick draw shows what I understood and which extremes would be possible to implement using HAB4.

I would be pleased if you could tell me if I am correct or totally wrong.

CST-Cert-Tree-extrems.jpg

CA1 = self-signed, CA2 and CA3 are subCA of any other CA.

arrows denote something like "issues". Leaves would be used for signatures.

minimal and fast auth cases seem to be clear.

However, what about the extrem cases of max. depth and max. count?

Do I understand the possible use of multiple Install Key commands correctly?

Labels (1)
Labels
0 Kudos
Reply
2 Replies

‎06-18-2015 07:40 AM
539 Views
benjaminh3
Contributor I

Sorry, I will formulate my questions clearly:

  • Can each SRK be issued by another CA? Different SRKs -- differnt super CAs. Being self-signed is trivial.

  • Would it be possible to build a chain of certificates under one SRK based on the four possible image certificates?Of course, this hierachy could not be created by CST.
    • Install SRK1 -> index 0
    • InstallKey C1 issued by SRK1 to index 2 (verificationIndex=0)
    • InstallKey C2 issued by C1 to index 3 (verificationIndex=2, targetIndex=3)
    • InstallKey C3 issued by C2 to index 4 (verificationIndex=3, targetIndex=4)
    • InstallKey C4 issued by C3 to index 5 (verificationIndex=4, targetIndex=5)
    • AuthenticateData using C4 (verificationIndex=5)
0 Kudos
Reply

‎06-23-2015 02:04 AM
539 Views
bpe
NXP Employee
NXP Employee

Hello,

Sorry, but the information you are requesting is treated as confidential info at this time and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this with you in public anyway, this requires to be handled as a Service Request (SR). Be aware that to give you remote support through a SR, we will still need the confirmation of a Freescale employee that the NDA is in place. If you want to go this route, the next steps will be: If you have already signed a NDA agreement for this product, please contact the person who assisted you or create a SR and name us a Freescale person that can confirm this. If you have not signed an agreement, please contact your local Freescale Distributor Salesperson or FAE for assistance. For a listing of our distributors, refer to: http://www.freescale.com/webapp/sps/site/overview.jsp?code=DISTRIBUTORS

Have a great day,
Platon

-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------

0 Kudos
Reply