Why not use only fast authentication?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why not use only fast authentication?

Jump to solution
1,133 Views
michalhojsik
Contributor II

Hi.

I am using the authenticated boot feature of i.MX6ul and I would like to ask:

What is the advantage of using dedicated CSF and IMG signing keys compared to using directly the SRKs for signing (so-called "fast authentication")?

Regards,

Michal

Labels (1)
0 Kudos
1 Solution
979 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The IMG also may be encrypted, CSF should be only signed.   

Regards,

Yuri.

View solution in original post

0 Kudos
7 Replies
979 Views
Yuri
NXP Employee
NXP Employee

Hello,

   Classical  Public Key Infrastructure (PKI) approach allows to use multiple CSF and IMG keys,

say for different design teams. 

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
979 Views
michalhojsik
Contributor II

Hi Yuri.

Thanks for your reply.

If the goal was to allow different teams to have different keys, why there are different keys for CSF signing and for image signing? Both CSF and image signatures are generated by the CST in one step.

Regards,

Michal

0 Kudos
979 Views
Yuri
NXP Employee
NXP Employee

Hello,

  "Additional keys may be added to the tree later using a separate script."

 You may look at section 3.2.5 (Adding a Key to a HAB4 PKI Tree) of the recent CST (2.3.3) documentation.

  Also, customers may use own CST (Appendix B Replacing the CST Backend Implementation)

 

Regards,

Yuri.

0 Kudos
979 Views
michalhojsik
Contributor II

Hi Yuri.

I am using CST Rev. 2.3.1 so sorry if my questions are already answered in the updated document.

My questions are:

1) Why would someone want to use one key for CST signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

2) Certificates generated by the add_key.sh script have a validity interval based on user's input. Is HAB checking certificate validity during boot time?

Regards,

Michal

0 Kudos
979 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

 1. 

    IMX boot ROM HAB implementation does not allow to use one key for CST signing and

a different key for IMG signing.

2.

  Details of  boot ROM HAB implementation are not provided publically.

Please create request / ticket.

Support|NXP  

Have a great day,

Yuri

 

------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer

button. Thank you!

0 Kudos
979 Views
michalhojsik
Contributor II

Hi Yuri.

Sorry, there was a typo in the first question - should be CSF signing and not CST signing. The question is:

1) Why would someone want to use one key for CSF signing and a different key for IMG signing when both keys are used by the same tool? I cannot see any advantage in it.

CSF key is installed by the CSF command [Install CSFK], IMG key by the [Install Key] command.

Regards,

Michal

0 Kudos
980 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The IMG also may be encrypted, CSF should be only signed.   

Regards,

Yuri.

0 Kudos