Use the same key for CSF and IMG?

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Use the same key for CSF and IMG?

2,271 次查看
tonywh
Contributor I

I'm making a product with secure boot. My company has CA -> Intermediate key -> Product key. I plan to program the Intermediate key in SRK0. Can I use the Product key as both CSF key and IMG key for secure boot? Is there any reason it might be inadvisable to do this?

Thanks,

Tony

标签 (1)
0 项奖励
回复
5 回复数

2,260 次查看
tonywh
Contributor I

Sorry I put this in the wrong place.

0 项奖励
回复

2,268 次查看
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello tonyhw,

 

HAB 4.1.2 or later introduces the fast authentication feature, which allows the user to have the SRK authenticate, the CSF and IMG. Customer need choose 'n' for below question when generating PKI tree with CST tools:   Do you want the SRK certificates to have the CA flag set? (y/n)?: n     If Fast Authentication is what is really needed – i.MX 6UL supports it.   Please refer to the following for some additional information   “Secure Boot i.MX 6 & HAB 4.1.2”

  < https://community.nxp.com/message/644308 >

For normal authentication, CSF public key is used to authenticate CSF commands and IMG public key is used to authenticate image, they are installed in separate key slots of internal public key store.     It isn't possible to apply the same certificate for CSF and IMG.

Regards

 

0 项奖励
回复

2,259 次查看
tonywh
Contributor I

Thanks for the response. Perhaps I need to clarify our requirement a bit more. We have to use the Intermediate key in SRK to satisfy key rotation and product life requirements. What I want to know is whether we can install the same key into the key slots for the CSF public key and the IMG public key.

Thanks,

Tony

0 项奖励
回复

2,247 次查看
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hi,

 

Sorry is not possible.

 

Regards

 

0 项奖励
回复

1,561 次查看
mprt42
Contributor III

Hi @Bio_TICFSL 

can you elaborate a bit more on that?

I briefly compared the relevant parts of the hab4_pki_tree script and could not see anything that looks different between the generation of the IMG and CSF keys/certs.

So what's the issue with simply reusing the same key for both?

...
[Install CSFK]
File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem [Authenticate CSF] [Install Key] Verification index = 0 Target Index = 2
File =
CSF1_1_sha256_4096_65537_v3_usr_crt.pem
...

 

In general, what's the reason for having seperate keys for CSF and IMG in the first place?
(I know there is the fast authenticatio mechanism, but I want to understand the potential security implications)

Thanks!