Hello,
I have a question about the PKI used for the HAB authentication. The CST comes with a script which generates the full PKI: CA -> SRK -> IMG/CSF. The self-signed CA sign the SRK, which in turn sign the IMG/CSF - everything clear.
However, we are fusing the SRK onto the board. Thus, my question: Why do we need the CA ie. why arent the SRK self-signed?
Thanks, cheers,
Aleksandar
Solved! Go to Solution.
CA is not involved in target verifications; the PKI from the Step2 is valid and the authentication will work.
SRK hash is checked.
~Yuri.
Hello Yuri,
some things are still unclear for me. Let me ask this way. I modified the script that creates the hab4 PKI in a way that I use my own SRK keys/crts, but the CA and the CST/IMG keys are generated by the script every time. The SRK hashes that are supposed to be fused on the board remained the same. Does this make sense?
@aleksandar_niko
Hello,
SRK is used to check CST/IMG keys. It is possible to revoke one SRK in order to use
another.
Regards,
Yuri.
Hi Yuri,
I dont think you understand me, it has nothing to do with the target. If I use my own SRK keys every time I create the PKI (basically I create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?
Hello,
> ... create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?
Yes - why not?
Regards,
Yuri.
Would in that case the HAB authentication work? (The SRK hashes remain the same).
if I correctly understand the problem - the SRK (once burned) must not be changed.
~Yuri.
Heres a bit longer explanation so we would be on the same page.
Step1:
Step2:
Is the PKI from the Step2 valid and could you tell whether the authentication would work?
CA is not involved in target verifications; the PKI from the Step2 is valid and the authentication will work.
SRK hash is checked.
~Yuri.
@aleksandar_niko
Hello,
The issue has been already discussed in
https://community.nxp.com/t5/i-MX-Processors/Confused-about-SRK/m-p/1184334
Regards,
Yuri.