- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Secure boot IMX8M keys and certs maintainance
Hi Team,
As most of you know, we use the NXP CST (Code Signing Tool) to generate the keys and certificates required for secure booting on i.MX8M series processors. However, I would like some clarification and insights on how keys and certificates are managed in production systems, especially over the long life cycle of embedded devices.
Here are my questions:
When using the CST tool, we specify a validity period for the keys and certificates (e.g., 10 years). However, most embedded devices have a life expectancy of 15-20 years, sometimes even longer. How do we handle key and certificate updates once they expire?
Once the keys or certificates expire, does secure booting stop working, or is there a way to maintain the system's security without interrupting secure boot?
Since the OTP (One-Time Programmable) memory can only be programmed once, how can we update the keys and certificates without reprogramming the OTP? Is there a method for handling updates securely after OTP programming?
What is the best way to manage secure boot infrastructure for Linux-based embedded systems using i.MX8M processors, ensuring long-term security and functionality without key expiration issues?
Any advice or best practices on how to manage keys, certificates, and secure booting over the long term for embedded systems would be highly appreciated.
Thank you in advance for your help!
