- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
HABv4 PKI - CA Required?
Hi,
I have a some general question about the HABv4 PKI concepts.
1) Why is a CA required? Why do the SRK Certificates have to be signed by the CA?
The fuses just contain the hash of the SRK table, right? so the four SRKs can just be root certificates as well, no? Also, there seems to be no need for the four SRKs to be signed by the same CA, no?
2) What's the usecase of the add_key script?
When would I use that?
I generate the SRKs, burn the fuses and after that things are set in stone, no?
3) What would be the usecase for someone *not* to use all 4 SRK slots in the table?
e.g. why would someone fuse a SRK table with just a single entry?
What happens should that key index at some point being revoked/fused ?
Thanks a lot!
Hi,
-> SGK is issued by SRK, the CA of SGK is SRK. CA is the holder of a private key used to certify public keys, the SRK private key is held by the CA.
-> Generally used to add new SGK. It is also possible to replace the OpenSSL and the hab4_pki_tree script with an alternative key generation solution,
-> Only one of the SRKs in the table may be selected for use on the NXP processor per reset cycle.
Regards
Harvey
Where does SGK come from for HABv4 PKI?
$ ./hab4_pki_tree.sh
...
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
The diagram below illustrate the PKI tree:
+---------+
| CA |
+---------+
|
|
---------------------------------------------------
| | | |
| | | |
v v v v
+--------+ +--------+ +--------+ +--------+
| SRK1 | | SRK2 | | SRK3 | | SRK4 |
+--------+ +--------+ +--------+ +--------+
/ \ / \ / \ / \
v v v v v v v v
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
|CSF1| |IMG1| |CSF2| |IMG2| |CSF3| |IMG3| |CSF4| |IMG4|
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
After running the script users can check the private keys under keys/ directory
and their respective X.509v3 public key certificates under crts/ directory.
Those files will be used during the signing and authentication process.
2.1 Generating a fast authentication PKI tree
----------------------------------------------
Starting in HAB v4.1.2 users can use a single SRK key to authenticate the both
CSF and IMG contents. This reduces the number of key pair authentications that
must occur during the ROM/HAB boot stage, thus providing a faster boot process.
The script hab4_pki_tree.sh is also able to generate a Public Key Infrastructure
(PKI) tree which only contains SRK Keys, users should not set the CA flag when
generating the SRK certificates.
- Generating 2048-bit fast authentication PKI tree on CST (starting from
v3.1.0):
$ ./hab4_pki_tree.sh
...
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 2048
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
The diagram below illustrate the PKI tree generated:
+---------+
| CA |
+---------+
|
|
---------------------------------------------------
| | | |
| | | |
v v v v
+--------+ +--------+ +--------+ +--------+
| SRK1 | | SRK2 | | SRK3 | | SRK4 |
+--------+ +--------+ +--------+ +--------+
