帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Testing signed images

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Testing signed images

跳至解决方案
‎06-12-2023 06:41 AM
1,704 次查看
eduardo3
Contributor III

Hello,

I am in the process of adding signed images to our board but I was left with questions on how to test that.

After getting a signed os_cntr_signed.bin image, it boots fine. On u-boot when I try ahab_status, I see SECO events (because I don't have my keys fused yet).

Initially I thought I could use u-boot fuse override for testing the fuse values I need to use, but that is not implemented. After searching on how to use fuse shadow registers, I found that it is not possible. Examples:

https://community.nxp.com/t5/i-MX-Processors/Access-to-OCOTP-registers-from-SCU-on-IMX8QM-leads-to-h...

https://community.nxp.com/t5/i-MX-Processors/IMX8-unable-to-override-OCOTP-shadow-registers-Is-there...

Initially If thought I could implement something like what is mentioned in the first link.

Based on that, how am I supposed to test secure boot keys / commands without permanently fusing the keys or bricking the board?

What is NXP advice on that?

For reference, we are using i.MX8X (imx8qxp).

 

0 项奖励
回复
1 解答

跳至解决方案
‎06-14-2023 05:54 AM
1,657 次查看
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

If not burning the SRK fuse, you may can use OPENSSL command to analyze the images with their key.

 

Regards

在原帖中查看解决方案

0 项奖励
回复
3 回复数

跳至解决方案
‎06-16-2023 12:45 AM
1,628 次查看
eduardo3
Contributor III

I'll try the openssl approach in the future. Another FAE we contacted also confirmed there is no way of testing on a imx8 board without fusing the keys. His suggestion in that case was to fuse (if we are fine with that) but not close the device.

0 项奖励
回复

跳至解决方案
‎06-14-2023 05:54 AM
1,658 次查看
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello,

If not burning the SRK fuse, you may can use OPENSSL command to analyze the images with their key.

 

Regards

0 项奖励
回复

跳至解决方案
5 小时之前
36 次查看
imx8mp_developer
Contributor I

I am interested in this topic!
I need to verify the os_cntr_signed.bin container coming out from a Yocto AHAB-signed build for imx93

If I do:
~/cst-4.0.0/linux64/bin/ahab_image_verifier os_cntr_signed.bin 0 0


I get:

Signature Block:
 Version: 0
 Length: 2648 bytes
 Tag: 0x90
 Certificate Offset: 0x0
 SRK Table/Array Offset: 0x10
 SRK Table:
   Tag: 0xD7
   Length: 2112 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 527 bytes
     Sign Algorithm: RSA       
     Hash Algorithm: SHA2_384       
     Key Size/Curve: RSA4096       
     SRK Flags: CA Flags       
     Modulus (N):
.....
Signature verification failed

This doesn't happen for imx-boot-imx93-var-som-aski-sd.bin-flash_singleboot_gdet

Signature Block:
 Version: 0
 Length: 400 bytes
 Tag: 0x90
 Certificate Offset: 0x0
 SRK Table/Array Offset: 0x10
 SRK Table:
   Tag: 0xD7
   Length: 308 bytes
   Version: 66
   SRK Record:
     Tag: 0xE1
     Length: 76 bytes
     Sign Algorithm: ECDSA       
     Hash Algorithm: SHA2_256       
     Key Size/Curve: PRIME256V1       
     SRK Flags: None       
     X Coordinate:  ....
     Y Coordinate:  ...

......

Signature verification successful

I am using a Digicert HSM for the signature

does anybody have a clue about the verification failed for os_cntr_signed ?
does anybody have a hint on how to verify the signature with openssl ?(just to exclude the issue is ahab_image_verifier itself)

0 项奖励
回复