Hi,
I am using an imx6sx board and I am currently simulating the condition whereby one of the private keys is compromised. Therefore, I am trying to revoke the SRK that I am using to authenticate the kernel and the u-boot. I referred to imx6sx application processor reference manual (pg 2828) and I would like to clarify what bits i need to set to revoke my first SRK out of the 4 SRKs that I generated (fuse prog 5 7 [? value to be set to reg]).
Regards,
Dheeraj
Hi Dheeraj
for revocation usage one can check AN4581 Secure Boot on i.MX50,
i.MX53, and i.MX6 Series using HABv4
https://www.nxp.com/docs/en/application-note/AN4581.pdf
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Igor,
Thank you, I have managed to revoke SRK0 and my boot process is unsuccessful. However, I changed my csf file but I am still unable to secure boot using other 3 remaining keys. Below is my CSF file. May I know what exactly is going wrong?
CSF File
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = ANY
[Install SRK]
File = "../../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "../../crts/CSF2_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
#Left blank because by doing so configuration is set to default
[Unlock]
Engine=CAAM
Features=RNG
[Unlock]
Engine = OCOTP
Features = SRK Revoke
[Install Key]
#authenticates and installs a public key for use in Authenticate Data command
Verification index = 0
Target index = 2
File = "../../crts/IMG2_1_sha256_2048_65537_v3_usr_crt.pem"
# Sign padded u-boot starting at the IVT through to the end with
# length = 0x2F000 (padded u-boot length) - 0x400 (IVT offset) = 0x2EC00
# This covers the essential parts: IVT, boot data and DCD.
# Blocks have the following definition:
# Image block start address on i.MX, Offset from start of image file,
# Length of block in bytes, image data file
[Authenticate Data]
Verification index = 2
Blocks = 0x877ff400 0x00000000 0x0006fc00 "../../../u-boot-imx6-boundary-v2017.07/u-boot.imx"
Regards,
Dheeraj