ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Use the same key for CSF and IMG?

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Use the same key for CSF and IMG?

‎02-09-2021 09:05 AM
2,219件の閲覧回数
tonywh
Contributor I

I'm making a product with secure boot. My company has CA -> Intermediate key -> Product key. I plan to program the Intermediate key in SRK0. Can I use the Product key as both CSF key and IMG key for secure boot? Is there any reason it might be inadvisable to do this?

Thanks,

Tony

ラベル(1)
0 件の賞賛
返信
5 返答(返信)

‎02-10-2021 02:42 AM
2,208件の閲覧回数
tonywh
Contributor I

Sorry I put this in the wrong place.

0 件の賞賛
返信

‎02-09-2021 10:35 AM
2,216件の閲覧回数
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello tonyhw,

 

HAB 4.1.2 or later introduces the fast authentication feature, which allows the user to have the SRK authenticate, the CSF and IMG. Customer need choose 'n' for below question when generating PKI tree with CST tools:   Do you want the SRK certificates to have the CA flag set? (y/n)?: n     If Fast Authentication is what is really needed – i.MX 6UL supports it.   Please refer to the following for some additional information   “Secure Boot i.MX 6 & HAB 4.1.2”

  < https://community.nxp.com/message/644308 >

For normal authentication, CSF public key is used to authenticate CSF commands and IMG public key is used to authenticate image, they are installed in separate key slots of internal public key store.     It isn't possible to apply the same certificate for CSF and IMG.

Regards

 

0 件の賞賛
返信

‎02-10-2021 02:45 AM
2,207件の閲覧回数
tonywh
Contributor I

Thanks for the response. Perhaps I need to clarify our requirement a bit more. We have to use the Intermediate key in SRK to satisfy key rotation and product life requirements. What I want to know is whether we can install the same key into the key slots for the CSF public key and the IMG public key.

Thanks,

Tony

0 件の賞賛
返信

‎02-11-2021 07:39 AM
2,195件の閲覧回数
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hi,

 

Sorry is not possible.

 

Regards

 

0 件の賞賛
返信

‎05-15-2024 04:40 AM
1,509件の閲覧回数
mprt42
Contributor III

Hi @Bio_TICFSL 

can you elaborate a bit more on that?

I briefly compared the relevant parts of the hab4_pki_tree script and could not see anything that looks different between the generation of the IMG and CSF keys/certs.

So what's the issue with simply reusing the same key for both?

...
[Install CSFK]
  File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem

[Authenticate CSF]

[Install Key]
  Verification index = 0
  Target Index = 2
  File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem
...

 

In general, what's the reason for having seperate keys for CSF and IMG in the first place?
(I know there is the fast authenticatio mechanism, but I want to understand the potential security implications)

Thanks!

返信