High Assurance Boot Certificate Validity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Assurance Boot Certificate Validity

Jump to solution
1,665 Views
christopherpres
Contributor III

Hi,

I work on a Freescale i.mx28 and I use High Assurance Boot (HAB).

When creating certificates with the "hab4_pki_tree.sh" script, which is provided with the Code Signing Tool, I can enter a certificate validity duration of max. 20 years.

What happens after 20 year? Does the i.mx28 not boot anymore? Am I not able to sign software anymore? Or do I have to add new CSF and IMG certificates to sign software with them?

My questions are: Who checks the certificate duration and when? Which certificates have a limited duration (I assume the root-certificate has unlimited duration)?

Best regards,

Chris

1 Solution
977 Views
rodz
Contributor III

Hi Chris,

Currently, if the validity period of the certificate expires nothing will happen.  The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed.  The intent is to enforce the cert validity periods with the code signing tool.  However, feature has not yet been added and is planned as an update to the code signing tool.

Regards,

-Rod


View solution in original post

0 Kudos
2 Replies
978 Views
rodz
Contributor III

Hi Chris,

Currently, if the validity period of the certificate expires nothing will happen.  The ROM/HAB does not enforce certificate validity periods and the Code Signing Tool will still allow code to be signed.  The intent is to enforce the cert validity periods with the code signing tool.  However, feature has not yet been added and is planned as an update to the code signing tool.

Regards,

-Rod


0 Kudos
977 Views
gurukottur
Contributor I

Hi Rod,

Any update on the certificate expiry and certificate revocation and if the fuses can be revoked?

Regards,

Guru

0 Kudos