FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

add_key.sh: error adding further SRK key to SRK table

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

add_key.sh: error adding further SRK key to SRK table

Jump to solution
‎05-12-2020 02:30 AM
1,893 Views
antonio_santagi
Contributor IV

Hello,

I am using script add_key.sh to add a new SRK key ( SRK3 ) to an already done PKIT tree containing 2 SRK keys ( SRK1 and SRK2 ).

I answer the questions as follow :

Which version of HAB/AHAB do you want to generate the key for (4 = HAB4 / a = AHAB)?: 4
Enter new key name (e.g. SRK5): SRK3
Enter new key type (ecc / rsa): rsa
Enter new key length in bits: 4096
Enter certificate duration (years): 10
Is this an SRK key?: yes
Enter SRK signing key name: ..path..CA1_sha256_4096_65537_v3_ca_key.pem
Enter SRK signing certificate name: ..path..CA1_sha256_4096_65537_v3_ca_crt.pem
Generating RSA private key, 4096 bit long modulus (2 primes)

SRK3 private/public key pair is generated.

Now I try generating theSRK table and the fuse map with the 3 SRK keys ( 2 SRK keys added when builing the PKI tree at the beginning and this SRK3 key just added ).

I get the error message :

[ERROR] SRKTOOL: All certificates must be either CA or user certs

Why does this happen ? 

SRK1 and SRK2 were defined at the beginning with CA flag set to 'yes': 

Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 2
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

that means that IMG1,IMG2,CST1,CST2 keys were also generated.

I then tried to add also IMG3 and CST3 keys signed by the new SRK3 key, by using script add_key.sh , but I anyway got the same error then when I tried to generate the SRK table and fuse map with SRK1, SRK2, SRK3.

If I generate instead initially SRK tree with 2 keys, SRK1 and SRK2, with CA flag set to no, then I don't get any error if I build SRK table after I added SRK3 with script add_key.sh.

In summary, does it mean that if I want to add an SRK key later to a PKI tree with two SRK keys already generated I need to generate all the SRK keys with CA not set ?

And then does it mean that I cannot have IMG and CST keys ? Selecting  Do you want the SRK certificates to have the CA flag set? (y/n)?: n

'n' here means we switch to use fast authentication so only SRK key is used, is that right ?

Can I use this fast authentication configuration on iMx8M Mini ? I read that it is supported only from HAB 4.1.2.

 

Or what other limitations are there if I want to add SRK keys later ?

thank you

Tags (1)
Reply
1 Solution

Jump to solution
‎05-15-2020 03:06 AM
1,736 Views
antonio_santagi
Contributor IV

Ok.

Now I found why it didn't ask that question of CA flag set to me, it's because I replied with 'yes' instead of with 'y' to previous question 'Is this an SRK key?: yes'   .

if I reply with 'y' now I see that it asks if I want CA flag set. Problem was simple.

thanks

View solution in original post

Reply
8 Replies

Jump to solution
‎05-25-2020 11:49 PM
1,736 Views
emptyfridge
Contributor III

Hi guys,

Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.

1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is

not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right? 

2.  which files do I need to protect for example with "git secret"? key management suggetion?

3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?

Maybe an additional question, is there any yocto-integration planed on meta-freescale?

Thanks guys

0 Kudos
Reply

Jump to solution
‎05-26-2020 02:38 AM
1,736 Views
Yuri
NXP Employee
NXP Employee

thomaslinder 
Hello,

  I think it makes sense to create separate thread for Your questions.

Regards,

Yuri.

Reply

Jump to solution
‎05-14-2020 04:51 AM
1,736 Views
Yuri
NXP Employee
NXP Employee

Hello,

  I am trying to reproduce the issue, but in my case srktool is not working at all.

Nevertheless, I think in Your case it is needed to add separately the SRK3, using
CA and  then - IMG3 and CST3, using SRK3. 

Regards,

Yuri.

0 Kudos
Reply

Jump to solution
‎05-14-2020 06:29 AM
1,736 Views
antonio_santagi
Contributor IV

Yes, 

I added SRK3 key by using same CA private key and public key I used to create PKI tree with SRK1 and SRK2 originally.

But when I generate SRK3 the add_key.sh script doesn't ask if I want it with CA flag set , as instead the ha4_pki_tree.sh does ask when you firstly generate the PKI tree.

0 Kudos
Reply

Jump to solution
‎05-14-2020 06:51 AM
1,736 Views
Yuri
NXP Employee
NXP Employee

Hi,

 Do You use  the recent CST 3.3.0?

~Yuri.

0 Kudos
Reply

Jump to solution
‎05-14-2020 07:02 AM
1,736 Views
antonio_santagi
Contributor IV

Yes, I am using that version. CST 3.3.0

0 Kudos
Reply

Jump to solution
‎05-15-2020 01:35 AM
1,736 Views
Yuri
NXP Employee
NXP Employee

antonio.santagiuliana@eurotech.com 

Hello,

  just tried:

pastedImage_1.png

asking  regarding CA flag set is present.

Regards,

Yuri.

0 Kudos
Reply

Jump to solution
‎05-15-2020 03:06 AM
1,737 Views
antonio_santagi
Contributor IV

Ok.

Now I found why it didn't ask that question of CA flag set to me, it's because I replied with 'yes' instead of with 'y' to previous question 'Is this an SRK key?: yes'   .

if I reply with 'y' now I see that it asks if I want CA flag set. Problem was simple.

thanks

Reply