Number of keys allowed in secure boot on iMX8X?

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Number of keys allowed in secure boot on iMX8X?

1,053件の閲覧回数
Gandalf-kern
Contributor IV

1) If I need to change keys, what is the process to change private and public keys in secure boot on iMX8X and how many keys are allowed?

2) To be specific, what are the number of private and public keys allowed in secure boot on iMX8X?

3) And how many root keys are allowed on iMX8X?

ラベル(1)
0 件の賞賛
6 返答(返信)

1,047件の閲覧回数
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   Use app note "Secure Boot on i.MX 8 and i.MX 8X Families using AHAB".

https://www.nxp.com/docs/en/application-note/AN12312.pdf

 In particular, section 3.3 (Generating a PKI tree).

 

Regards,
Yuri.

0 件の賞賛

1,039件の閲覧回数
Gandalf-kern
Contributor IV

Hi Yuri,

thanks but the document never mentions the number of allowable public and private keys. It mentions four root keys but not how many private and public keys are allowed. Do you have any idea or can you ask the secure boot team? Thanks!

0 件の賞賛

1,033件の閲覧回数
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

  from CST documentation (Install Key command) key index range 0 .. 4 are allowed.

Regards,
Yuri.

0 件の賞賛

1,007件の閲覧回数
Gandalf-kern
Contributor IV

I am reading AN4581 i.MX Secure Boot on HABv4 Supported Devices.

AN4581 says "only one SRK may be selected at boot time through an install SRK CSF command. In the case where one or more SRKs are compromised, it is possible to revoke that SRK.  There are up to four SRK revoke fuse bits that map to the SRK table indexes. An SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0] efuse field." The details are cryptic. 

I don't understand how to do SRK revocation. There are four SRK revoke fuse bits and an SRK key is revoked by burning the corresponding bit in the SRK_REVOKE[3:0].  How do I do this in u-boot from the command line? 

I used the SRK took to create a SRK table with four SRK keys. Then I get the fuses using the od command and program the fuses in u-boot. Now I want to revoke the second and last public keys. How do I do this? (I don't have any SECO events after rebooting.  Everything looks fine after programming the fuses).

1) Now I want to revoke SRK2 and SRK4 public keys, how do I do this from the u-boot command line?

2) I have programmed fuses 730-745 per NXP instructions, how many of these fuses are revoked for each SRK key that is revoked? One fuse for each SRK is revoked, so there are four fuses?

3) Are all four public keys available at boot time, or only the one SRK selected at boot time? In other words, can I have two public keys available at boot time if I want to use two public keys for some reason, one for a user and one for an admin as an example?

0 件の賞賛

1,001件の閲覧回数
Yuri
NXP Employee
NXP Employee

@Gandalf-kern 
Hello,

   use the following resource regarding the revoking:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note; details of i.MX8 revoking are not public. Please create request:

https://www.nxp.com/support/support:SUPPORTHOME?tid=sbmenu

 

 Also: only public key is available at boot time.

Regards,
Yuri.

0 件の賞賛

995件の閲覧回数
Gandalf-kern
Contributor IV

I have created a case for the AHAB documentation for revocation.