- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Use the same key for CSF and IMG?
Use the same key for CSF and IMG?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Use the same key for CSF and IMG?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm making a product with secure boot. My company has CA -> Intermediate key -> Product key. I plan to program the Intermediate key in SRK0. Can I use the Product key as both CSF key and IMG key for secure boot? Is there any reason it might be inadvisable to do this?
Thanks,
Tony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I put this in the wrong place.
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tonyhw,
HAB 4.1.2 or later introduces the fast authentication feature, which allows the user to have the SRK authenticate, the CSF and IMG. Customer need choose 'n' for below question when generating PKI tree with CST tools: Do you want the SRK certificates to have the CA flag set? (y/n)?: n If Fast Authentication is what is really needed – i.MX 6UL supports it. Please refer to the following for some additional information “Secure Boot i.MX 6 & HAB 4.1.2”
< https://community.nxp.com/message/644308 >
For normal authentication, CSF public key is used to authenticate CSF commands and IMG public key is used to authenticate image, they are installed in separate key slots of internal public key store. It isn't possible to apply the same certificate for CSF and IMG.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. Perhaps I need to clarify our requirement a bit more. We have to use the Intermediate key in SRK to satisfy key rotation and product life requirements. What I want to know is whether we can install the same key into the key slots for the CSF public key and the IMG public key.
Thanks,
Tony
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry is not possible.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Bio_TICFSL
can you elaborate a bit more on that?
I briefly compared the relevant parts of the hab4_pki_tree script and could not see anything that looks different between the generation of the IMG and CSF keys/certs.
So what's the issue with simply reusing the same key for both?
...
[Install CSFK] File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem [Authenticate CSF] [Install Key] Verification index = 0 Target Index = 2
File = CSF1_1_sha256_4096_65537_v3_usr_crt.pem
...
In general, what's the reason for having seperate keys for CSF and IMG in the first place?
(I know there is the fast authenticatio mechanism, but I want to understand the potential security implications)
Thanks!
