[Secure Boot]CST 3.0.1:the validity period of the corresponding certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Secure Boot]CST 3.0.1:the validity period of the corresponding certificates

Jump to solution
2,625 Views
yongheluo_hotma
Contributor III

Dear Yuri,

     在使用CST生成PKI时,运行 hab4_pki_tree.sh 脚本,其中有一个输入:

        — Enter PKI tree duration (years):
            – This defines the validity period of the corresponding certificates.

     我们的设备要求具有10年以上的使用寿命。

    我们的问题是:

   1)在使用CST工具对Uboot等进行签名是,是否会用到这个签名的有效期、是否会去判断这个有效期?如:当我输入10,则10年以后,这些证书是否会失效?

   2)在i.mx6 的boot中,是否会去判断签名的有效性?如:boot rom、HAB、或uboot运行时,会去判断签名的有效性吗?如何判断?如果超期会出现什么情况?

  3)也就是说:证书的有效性是否对我们的产品寿命带来影响?假设我们的设备20年后仍然还在使用,但是签名的有效期已经过,会导致我们的设备无法使用吗?

     谢谢!

    Yonghe.Luo

Yuri@Yuri #Secure boot #CST

Tags (2)
1 Solution
2,353 Views
Yuri
NXP Employee
NXP Employee

Hello,

  CST implementation now provides only option to generate new key / certificates (previous ones

are not used with CST).

Regards,

Yuri.

View solution in original post

0 Kudos
Reply
4 Replies
2,353 Views
Yuri
NXP Employee
NXP Employee

Hello,

  HAB on iMX doesn't verify the certificate period, so a signed image will continue

to boot on closed (locked) independent of certificate period set with CST tool.

If such functionality (check the certificate period) is desired, customers could implement

it as software functionality of the first boot stages (say, in U-boot).

 


Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply
2,353 Views
yongheluo_hotma
Contributor III

Dear Yuri,

    非常感谢您的回复。

    您的回复,已经回答了我的第二问题,即:i.mx6中不会去判断证书在时间方面的有效性;

    但是,在使用CST工具对uBoot等image进行签名时,是否会对证书在时间方面的有效性判断呢?(即:上述第一个问题)比如:证书有效期为10年,10年以后再用当前所生成的key对image签名,将会提示证书过期?

    谢谢!

    Yonghe.Luo

0 Kudos
Reply
2,354 Views
Yuri
NXP Employee
NXP Employee

Hello,

  CST implementation now provides only option to generate new key / certificates (previous ones

are not used with CST).

Regards,

Yuri.

0 Kudos
Reply
2,353 Views
yongheluo_hotma
Contributor III

Dear Yuri,

    好的,了解了。

  谢谢!

   Yonghe.Luo