HAB PKI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2,166 Views
aleksandar_niko
Contributor III

Hello,

I have a question about the PKI used for the HAB authentication. The CST comes with a script which generates the full PKI: CA -> SRK -> IMG/CSF. The self-signed CA sign the SRK, which in turn sign the IMG/CSF - everything clear.

However, we are fusing the SRK onto the board. Thus, my question: Why do we need the CA ie. why arent the SRK self-signed?

Thanks, cheers,

Aleksandar

0 Kudos
Reply
1 Solution
2,104 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  CA is not involved in target verifications;  the PKI from the Step2 is valid and  the authentication will work.
SRK hash is checked.

 

~Yuri.

View solution in original post

0 Kudos
Reply
9 Replies
2,139 Views
aleksandar_niko
Contributor III

Hello Yuri,

some things are still unclear for me. Let me ask this way. I modified the script that creates the hab4 PKI in a way that I use my own SRK keys/crts, but the CA and the CST/IMG keys are generated by the script every time. The SRK hashes that are supposed to be fused on the board remained the same. Does this make sense?

0 Kudos
Reply
2,132 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 
Hello,

  SRK is used to check CST/IMG keys. It is possible to revoke one SRK in order to use 
another.   

Regards,
Yuri.

0 Kudos
Reply
2,128 Views
aleksandar_niko
Contributor III

Hi Yuri,

I dont think you understand me, it has nothing to do with the target. If I use my own SRK keys every time I create the PKI (basically I create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

0 Kudos
Reply
2,125 Views
Yuri
NXP Employee
NXP Employee

Hello,

> ... create the CA and the IMG/CST keys, but the SRK always remain the same), is such PKI valid?

Yes - why not?

 

Regards,
Yuri.

0 Kudos
Reply
2,123 Views
aleksandar_niko
Contributor III

Would in that case the HAB authentication work? (The SRK hashes remain the same).

0 Kudos
Reply
2,114 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  if I correctly understand the problem - the SRK (once burned) must not be changed.

~Yuri.   

0 Kudos
Reply
2,110 Views
aleksandar_niko
Contributor III

Heres a bit longer explanation so we would be on the same page.

Step1:

  • We generate the whole PKI (CA, SRK, IMG/CST)
  • SRKs are burned (cannot be changed anymore)
  • HAB authentication works

Step2:

  • We generate a new PKI, but with SRK keys from the previous step. This means CA and IMG/CST keys are generated, but SRK are just integrated into the PKI
  • This means
    • SRK are the same as in Step1 but are signed by different CA
    • IMG/CST keys are different than in Step1 but are signed by the same SRK

Is the PKI from the Step2 valid and could you tell whether the authentication would work?

0 Kudos
Reply
2,105 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 

  CA is not involved in target verifications;  the PKI from the Step2 is valid and  the authentication will work.
SRK hash is checked.

 

~Yuri.

0 Kudos
Reply
2,155 Views
Yuri
NXP Employee
NXP Employee

@aleksandar_niko 
Hello,

   The issue has been already discussed in

https://community.nxp.com/t5/i-MX-Processors/Confused-about-SRK/m-p/1184334

 

Regards,
Yuri.

0 Kudos
Reply