FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HAB PKI

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

HAB PKI

Jump to solution
‎11-19-2020 01:55 PM
1,600 Views
aleksandar_niko
Contributor III

Hello,

I have a question about the PKI used for the HAB authentication. The CST comes with a script which generates the full PKI: CA -> SRK -> IMG/CSF. The self-signed CA sign the SRK, which in turn sign the IMG/CSF - everything clear.

However, we are fusing the SRK onto the board. Thus, my question: Why do we need the CA ie. why arent the SRK self-signed?

Thanks, cheers,

Aleksandar

0 Kudos
Reply
1 Solution

Jump to solution
‎12-01-2020 04:31 AM
1,538 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  CA is not involved in target verifications;  the PKI from the Step2 is valid and  the authentication will work.
SRK hash is checked.

 

~Yuri.

View solution in original post

0 Kudos
Reply
9 Replies

Jump to solution
‎11-30-2020 03:00 AM
1,573 Views
aleksandar_niko
Contributor III

Hello Yuri,

some things are still unclear for me. Let me ask this way. I modified the script that creates the hab4 PKI in a way that I use my own SRK keys/crts, but the CA and the CST/IMG keys are generated by the script every time. The SRK hashes that are supposed to be fused on the board remained the same. Does this make sense?

0 Kudos
Reply

Jump to solution
‎11-30-2020 08:56 PM
1,566 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 
Hello,

  SRK is used to check CST/IMG keys. It is possible to revoke one SRK in order to use 
another.   

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎12-01-2020 01:07 AM
1,562 Views
aleksandar_niko
Contributor III

Hi Yuri,

I dont think you understand me, it has nothing to do with the target. If I use my own SRK keys every time I create the PKI (basically I create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

0 Kudos
Reply

Jump to solution
‎12-01-2020 01:16 AM
1,559 Views
Yuri
NXP Employee
NXP Employee

Hello,

> ... create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

Yes - why not?

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎12-01-2020 01:20 AM
1,557 Views
aleksandar_niko
Contributor III

Would in that case the HAB authentication work? (The SRK hashes remain the same).

0 Kudos
Reply

Jump to solution
‎12-01-2020 01:51 AM
1,548 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  if I correctly understand the problem - the SRK (once burned) must not be changed.

~Yuri.   

0 Kudos
Reply

Jump to solution
‎12-01-2020 03:31 AM
1,544 Views
aleksandar_niko
Contributor III

Heres a bit longer explanation so we would be on the same page.

Step1:

  • We generate the whole PKI (CA, SRK, IMG/CST)
  • SRKs are burned (cannot be changed anymore)
  • HAB authentication works

Step2:

  • We generate a new PKI, but with SRK keys from the previous step. This means CA and IMG/CST keys are generated, but SRK are just integrated into the PKI
  • This means
    • SRK are the same as in Step1 but are signed by different CA
    • IMG/CST keys are different than in Step1 but are signed by the same SRK

Is the PKI from the Step2 valid and could you tell whether the authentication would work?

0 Kudos
Reply

Jump to solution
‎12-01-2020 04:31 AM
1,539 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  CA is not involved in target verifications;  the PKI from the Step2 is valid and  the authentication will work.
SRK hash is checked.

 

~Yuri.

0 Kudos
Reply

Jump to solution
‎11-19-2020 09:08 PM
1,589 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 
Hello,

   The issue has been already discussed in

https://community.nxp.com/t5/i-MX-Processors/Confused-about-SRK/m-p/1184334

 

Regards,
Yuri.

0 Kudos
Reply