Hello,
I have a question about the PKI used for the HAB authentication. The CST comes with a script which generates the full PKI: CA -> SRK -> IMG/CSF. The self-signed CA sign the SRK, which in turn sign the IMG/CSF - everything clear.
However, we are fusing the SRK onto the board. Thus, my question: Why do we need the CA ie. why arent the SRK self-signed?
Thanks, cheers,
Aleksandar
已解决! 转到解答。
CA is not involved in target verifications; the PKI from the Step2 is valid and the authentication will work.
SRK hash is checked.
~Yuri.
Hello Yuri,
some things are still unclear for me. Let me ask this way. I modified the script that creates the hab4 PKI in a way that I use my own SRK keys/crts, but the CA and the CST/IMG keys are generated by the script every time. The SRK hashes that are supposed to be fused on the board remained the same. Does this make sense?
Hi Yuri,
I dont think you understand me, it has nothing to do with the target. If I use my own SRK keys every time I create the PKI (basically I create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?
Heres a bit longer explanation so we would be on the same page.
Step1:
Step2:
Is the PKI from the Step2 valid and could you tell whether the authentication would work?
@aleksandar_niko
Hello,
The issue has been already discussed in
https://community.nxp.com/t5/i-MX-Processors/Confused-about-SRK/m-p/1184334
Regards,
Yuri.