Hi.
I am using the authenticated boot feature of i.MX6ul and I would like to ask:
What is the advantage of using dedicated CSF and IMG signing keys compared to using directly the SRKs for signing (so-called "fast authentication")?
Regards,
Michal
解決済! 解決策の投稿を見る。
Hello,
Classical Public Key Infrastructure (PKI) approach allows to use multiple CSF and IMG keys,
say for different design teams.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri.
Thanks for your reply.
If the goal was to allow different teams to have different keys, why there are different keys for CSF signing and for image signing? Both CSF and image signatures are generated by the CST in one step.
Regards,
Michal
Hello,
"Additional keys may be added to the tree later using a separate script."
You may look at section 3.2.5 (Adding a Key to a HAB4 PKI Tree) of the recent CST (2.3.3) documentation.
Also, customers may use own CST (Appendix B Replacing the CST Backend Implementation)
Regards,
Yuri.
Hi Yuri.
I am using CST Rev. 2.3.1 so sorry if my questions are already answered in the updated document.
My questions are:
1) Why would someone want to use one key for CST signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.
2) Certificates generated by the add_key.sh script have a validity interval based on user's input. Is HAB checking certificate validity during boot time?
Regards,
Michal
Hello,
1.
IMX boot ROM HAB implementation does not allow to use one key for CST signing and
a different key for IMG signing.
2.
Details of boot ROM HAB implementation are not provided publically.
Please create request / ticket.
Have a great day,
Yuri
------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer
button. Thank you!
Hi Yuri.
Sorry, there was a typo in the first question - should be CSF signing and not CST signing. The question is:
1) Why would someone want to use one key for CSF signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.
CSF key is installed by the CSF command [Install CSFK], IMG key by the [Install Key] command.
Regards,
Michal
Hello,
The IMG also may be encrypted, CSF should be only signed.
Regards,
Yuri.