FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HABv4 key management

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HABv4 key management

‎12-01-2025 02:58 AM
1,516 Views
mssp
Contributor II

Hello everyone

How would you recommend managing the keys in a situation where a third party needs the capability to independently sign software releases? 

i.e. We need to give a key to someone to be able to sign, should we give them an SRK? Or just an "IMG" key? Can they even sign with just the IMG key?

As far as I understand we can only revoke SRKs and not individual IMG keys. Which means that if both us and the external partner use the same SRK, we will not be able to revoke theirs?

I have not been able to find any information in the documentation about having multiple IMG keys, or key management

Thanks

Tags (3)
0 Kudos
Reply
4 Replies

‎12-01-2025 07:34 AM
1,488 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

I'll address your question about managing keys when a third party needs to sign software releases independently.

In HABv4, only SRK (Super Root Key) keys can be revoked, not individual IMG (image) keys. The system is designed with a strict hierarchical trust model.

When working with third parties for signing:

1. SRK keys are the root of trust and are generally managed by the device owner. These keys should be carefully protected as they represent the foundation of your security model.

2. If you give a third party an SRK key, they would have complete signing authority at the root level. This is generally not recommended as it grants them extensive privileges.

3. You can provide a third party with an IMG key that's under your SRK. This allows them to sign images while you maintain control of the root key.

4. The third party cannot independently sign with just an IMG key - they need the complete certificate chain that traces back to an SRK in your device's fuses.

5. For key isolation, it's recommended to use different SRKs for different signing entities. For example, you could use SRK1 for your internal builds and SRK2 for the external partner.

6. You are correct that only SRKs can be revoked (not individual IMG keys), and this is done at the fuse level in HABv4. If both you and your partner use the same SRK, you cannot selectively revoke their signing ability without also revoking your own.

The recommended approach is to assign different SRKs to different signing entities so that if revocation becomes necessary, you can revoke their SRK without affecting your own signing capabilities.

 

Regards

0 Kudos
Reply

‎12-02-2025 01:07 AM
1,474 Views
mssp
Contributor II

Hello, thank you for the detailed reply.

In point 3 you mention

[] an IMG key ... allows them to sign images

but on point 4 

The third party cannot independently sign with just an IMG key

I am confused to whether someone can sign images with an IMG key from our chain, or if the whole SRK is necessary. Which one is it?

If sharing the whole SRK is necessary and an IMG key is not enough, what is the usecase of being able to generate multiple IMG keys (if I understand correctly from the documentation, that seems to be possible)?

Thanks

0 Kudos
Reply

‎12-02-2025 06:43 AM
1,461 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hi,

Yes it is possible but just one if you could manage.

Regards

0 Kudos
Reply

‎12-02-2025 06:57 AM
1,458 Views
mssp
Contributor II
Hi, unfortunately I'm not sure I understand your reply.

1) Is it possible for someone to sign software just with an IMG key, or do they need to have the SRK?
2) Why would someone need more than one IMG key?

Thank you
0 Kudos
Reply