FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Use the same key for CSF and IMG?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use the same key for CSF and IMG?

‎02-09-2021 09:05 AM
2,337 Views
tonywh
Contributor I

I'm making a product with secure boot. My company has CA -> Intermediate key -> Product key. I plan to program the Intermediate key in SRK0. Can I use the Product key as both CSF key and IMG key for secure boot? Is there any reason it might be inadvisable to do this?

Thanks,

Tony

Labels (1)
0 Kudos
Reply
5 Replies

‎02-10-2021 02:42 AM
2,326 Views
tonywh
Contributor I

Sorry I put this in the wrong place.

0 Kudos
Reply

‎02-09-2021 10:35 AM
2,334 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello tonyhw,

 

HAB 4.1.2 or later introduces the fast authentication feature, which allows the user to have the SRK authenticate, the CSF and IMG. Customer need choose 'n' for below question when generating PKI tree with CST tools:   Do you want the SRK certificates to have the CA flag set? (y/n)?: n     If Fast Authentication is what is really needed – i.MX 6UL supports it.   Please refer to the following for some additional information   “Secure Boot i.MX 6 & HAB 4.1.2”

  < https://community.nxp.com/message/644308 >

For normal authentication, CSF public key is used to authenticate CSF commands and IMG public key is used to authenticate image, they are installed in separate key slots of internal public key store.     It isn't possible to apply the same certificate for CSF and IMG.

Regards

 

0 Kudos
Reply

‎02-10-2021 02:45 AM
2,325 Views
tonywh
Contributor I

Thanks for the response. Perhaps I need to clarify our requirement a bit more. We have to use the Intermediate key in SRK to satisfy key rotation and product life requirements. What I want to know is whether we can install the same key into the key slots for the CSF public key and the IMG public key.

Thanks,

Tony

0 Kudos
Reply

‎02-11-2021 07:39 AM
2,313 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hi,

 

Sorry is not possible.

 

Regards

 

0 Kudos
Reply

‎05-15-2024 04:40 AM
1,627 Views
mprt42
Contributor III

Hi @Bio_TICFSL 

can you elaborate a bit more on that?

I briefly compared the relevant parts of the hab4_pki_tree script and could not see anything that looks different between the generation of the IMG and CSF keys/certs.

So what's the issue with simply reusing the same key for both?

...
[Install CSFK]
  File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem

[Authenticate CSF]

[Install Key]
  Verification index = 0
  Target Index = 2
  File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem
...

 

In general, what's the reason for having seperate keys for CSF and IMG in the first place?
(I know there is the fast authenticatio mechanism, but I want to understand the potential security implications)

Thanks!

Reply