Number of keys allowed in secure boot on iMX8X?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Number of keys allowed in secure boot on iMX8X?

1,230 Views
Gandalf-kern
Contributor IV

1) If I need to change keys, what is the process to change private and public keys in secure boot on iMX8X and how many keys are allowed?

2) To be specific, what are the number of private and public keys allowed in secure boot on iMX8X?

3) And how many root keys are allowed on iMX8X?

0 Kudos
6 Replies

1,224 Views
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   Use app note "Secure Boot on i.MX 8 and i.MX 8X Families using AHAB".

https://www.nxp.com/docs/en/application-note/AN12312.pdf

 In particular, section 3.3 (Generating a PKI tree).

 

Regards,
Yuri.

0 Kudos

1,216 Views
Gandalf-kern
Contributor IV

Hi Yuri,

thanks but the document never mentions the number of allowable public and private keys. It mentions four root keys but not how many private and public keys are allowed. Do you have any idea or can you ask the secure boot team? Thanks!

0 Kudos

1,210 Views
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

  from CST documentation (Install Key command) key index range 0 .. 4 are allowed.

Regards,
Yuri.

0 Kudos

1,184 Views
Gandalf-kern
Contributor IV

I am reading AN4581 i.MX Secure Boot on HABv4 Supported Devices.

AN4581 says "only one SRK may be selected at boot time through an install SRK CSF command. In the case where one or more SRKs are compromised, it is possible to revoke that SRK.  There are up to four SRK revoke fuse bits that map to the SRK table indexes. An SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0] efuse field." The details are cryptic. 

I don't understand how to do SRK revocation. There are four SRK revoke fuse bits and an SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0].  How do I do this in u-boot from the command line? 

I used the SRK took to create a SRK table with four SRK keys. Then I get the fuses using the od command and program the fuses in u-boot. Now I want to revoke the second and last public keys. How do I do this? (I don't have any SECO events after rebooting.  Everything looks fine after programming the fuses).

1) Now I want to revoke SRK2 and SRK4 public keys, how do I do this from the u-boot command line?

2) I have programmed fuses 730-745 per NXP instructions, how many of these fuses are revoked for each SRK key that is revoked? One fuse for each SRK is revoked, so there are four fuses?

3) Are all four public keys available at boot time, or only the one SRK selected at boot time? In other words, can I have two public keys available at boot time if I want to use two public keys for some reason, one for a user and one for an admin as an example?

0 Kudos

1,178 Views
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   use the following resource regarding the revoking:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note; details of i.MX8 revoking are not public. Please create request:

https://www.nxp.com/support/support:SUPPORTHOME?tid=sbmenu

 

 Also: only public key is available at boot time.

Regards,
Yuri.

0 Kudos

1,172 Views
Gandalf-kern
Contributor IV

I have created a case for the AHAB documentation for revocation.