Hello,
I am using script add_key.sh to add a new SRK key ( SRK3 ) to an already done PKIT tree containing 2 SRK keys ( SRK1 and SRK2 ).
I answer the questions as follow :
Which version of HAB/AHAB do you want to generate the key for (4 = HAB4 / a = AHAB)?: 4
Enter new key name (e.g. SRK5): SRK3
Enter new key type (ecc / rsa): rsa
Enter new key length in bits: 4096
Enter certificate duration (years): 10
Is this an SRK key?: yes
Enter SRK signing key name: ..path..CA1_sha256_4096_65537_v3_ca_key.pem
Enter SRK signing certificate name: ..path..CA1_sha256_4096_65537_v3_ca_crt.pem
Generating RSA private key, 4096 bit long modulus (2 primes)
SRK3 private/public key pair is generated.
Now I try generating theSRK table and the fuse map with the 3 SRK keys ( 2 SRK keys added when builing the PKI tree at the beginning and this SRK3 key just added ).
I get the error message :
[ERROR] SRKTOOL: All certificates must be either CA or user certs
Why does this happen ?
SRK1 and SRK2 were defined at the beginning with CA flag set to 'yes':
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 2
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
that means that IMG1,IMG2,CST1,CST2 keys were also generated.
I then tried to add also IMG3 and CST3 keys signed by the new SRK3 key, by using script add_key.sh , but I anyway got the same error then when I tried to generate the SRK table and fuse map with SRK1, SRK2, SRK3.
If I generate instead initially SRK tree with 2 keys, SRK1 and SRK2, with CA flag set to no, then I don't get any error if I build SRK table after I added SRK3 with script add_key.sh.
In summary, does it mean that if I want to add an SRK key later to a PKI tree with two SRK keys already generated I need to generate all the SRK keys with CA not set ?
And then does it mean that I cannot have IMG and CST keys ? Selecting Do you want the SRK certificates to have the CA flag set? (y/n)?: n
'n' here means we switch to use fast authentication so only SRK key is used, is that right ?
Can I use this fast authentication configuration on iMx8M Mini ? I read that it is supported only from HAB 4.1.2.
Or what other limitations are there if I want to add SRK keys later ?
thank you
Solved! Go to Solution.
Ok.
Now I found why it didn't ask that question of CA flag set to me, it's because I replied with 'yes' instead of with 'y' to previous question 'Is this an SRK key?: yes' .
if I reply with 'y' now I see that it asks if I want CA flag set. Problem was simple.
thanks
Hi guys,
Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.
1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is
not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right?
2. which files do I need to protect for example with "git secret"? key management suggetion?
3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?
Maybe an additional question, is there any yocto-integration planed on meta-freescale?
Thanks guys
thomaslinder
Hello,
I think it makes sense to create separate thread for Your questions.
Regards,
Yuri.
Hello,
I am trying to reproduce the issue, but in my case srktool is not working at all.
Nevertheless, I think in Your case it is needed to add separately the SRK3, using
CA and then - IMG3 and CST3, using SRK3.
Regards,
Yuri.
Yes,
I added SRK3 key by using same CA private key and public key I used to create PKI tree with SRK1 and SRK2 originally.
But when I generate SRK3 the add_key.sh script doesn't ask if I want it with CA flag set , as instead the ha4_pki_tree.sh does ask when you firstly generate the PKI tree.
Hi,
Do You use the recent CST 3.3.0?
~Yuri.
Yes, I am using that version. CST 3.3.0
antonio.santagiuliana@eurotech.com
Hello,
just tried:
asking regarding CA flag set is present.
Regards,
Yuri.
Ok.
Now I found why it didn't ask that question of CA flag set to me, it's because I replied with 'yes' instead of with 'y' to previous question 'Is this an SRK key?: yes' .
if I reply with 'y' now I see that it asks if I want CA flag set. Problem was simple.
thanks