帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

i.MX 8X secure boot - keys for two parties rather than one - Yocto Linux

‎08-01-2025 06:52 AM
649 次查看
petero5
Contributor IV

How is the following Secure Boot / Chain of Trust scenario usually handled? What are the precedents?

In most of the documentation/examples, the scenario is simple: the same company creates the device and the application software, sells the device with application software on it, and only their keys need to be accommodated.

However in our case: we manufacture i.MX 8X based devices. Our customers develop software applications for the devices, and then sell the devices with software to their customers.

Our keys are in the AHAB SRK. But we also need to accommodate our customers keys somewhere, so that they can sign their software updates...

We supply our customers with the SDK produced by Yocto, and the Linux rootfs. Our customers don't perform Yocto builds themselves. They build their application software using the SDK.

What precedents are there for how this scenario is usually handled, in terms of secure boot and whose keys are stored where? What is the terminology for the different parties?

Thank you
Peter

标签 (1)
标签
0 项奖励
回复
5 回复数

‎08-03-2025 11:16 PM
609 次查看
Harvey021
NXP TechSupport
NXP TechSupport

The section <7.3 Using CST with Hardware Security Module> of CST User Guide can be a reference for you.

You can download the guide from IMX_CST_TOOL 

 

Regards

Harvey

0 项奖励
回复

‎08-05-2025 02:07 AM
594 次查看
petero5
Contributor IV

Hi @Harvey021 thank you, yes we are using CST with HSM.

But are still looking for best practices re chain of trust involving two companies, rather than one:

Company A manufactures the device, builds the Yocto SDK and the FIT image, U-Boot, Linux kernel and rootfs.

Company B receives the above and develops an application (and creates the application partition).

If A writes the SRKs and closes the device, then B can trust that the device and images have not been tampered with on the way to them.

But there needs to be a way to enroll B's public key for the application partition, or include that in the chain of trust?

Thank you
Peter

0 项奖励
回复

‎08-06-2025 11:05 PM
574 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi  @petero5 

I've sent you internal system emails.

 

Regards

Harvey

0 项奖励
回复

‎08-07-2025 01:23 AM
553 次查看
petero5
Contributor IV

Hi @Harvey021. Thank you. Where can I find the internal system emails please? I've looked under Private Messages / Inbox, but that is empty?

0 项奖励
回复

‎08-07-2025 02:53 AM
538 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Please let me know if you not received yet.

 

Regards

Harvey

0 项奖励
回复
%3CLINGO-SUB%20id%3D%22lingo-sub-2145219%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Ei.MX%208X%20%E5%AE%89%E5%85%A8%E5%90%AF%E5%8A%A8-%E4%B8%A4%E6%96%B9%E8%80%8C%E4%B8%8D%E6%98%AF%E4%B8%80%E6%96%B9%E7%9A%84%E5%AF%86%E9%92%A5-Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2145219%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E9%80%9A%E5%B8%B8%E5%A6%82%E4%BD%95%E5%A4%84%E7%90%86%E4%BB%A5%E4%B8%8B%E5%AE%89%E5%85%A8%E5%90%AF%E5%8A%A8%2F%E4%BF%A1%E4%BB%BB%E9%93%BE%E5%9C%BA%E6%99%AF%EF%BC%9F%E6%9C%89%E4%BB%80%E4%B9%88%E5%85%88%E4%BE%8B%EF%BC%9F%3C%2FP%3E%3CP%3E%E5%9C%A8%E5%A4%A7%E5%A4%9A%E6%95%B0%E6%96%87%E6%A1%A3%2F%E7%A4%BA%E4%BE%8B%E4%B8%AD%EF%BC%8C%E5%9C%BA%E6%99%AF%E5%BE%88%E7%AE%80%E5%8D%95%EF%BC%9A%E5%90%8C%E4%B8%80%E5%AE%B6%E5%85%AC%E5%8F%B8%E5%88%9B%E5%BB%BA%E8%AE%BE%E5%A4%87%E5%92%8C%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%E8%BD%AF%E4%BB%B6%EF%BC%8C%E5%87%BA%E5%94%AE%E5%B8%A6%E6%9C%89%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%E8%BD%AF%E4%BB%B6%E7%9A%84%E8%AE%BE%E5%A4%87%EF%BC%8C%E5%8F%AA%E9%9C%80%E8%A6%81%E5%AD%98%E6%94%BE%E5%AF%86%E9%92%A5%E3%80%82%3C%2FP%3E%3CP%3E%E4%BD%86%E6%98%AF%EF%BC%8C%E5%B0%B1%E6%88%91%E4%BB%AC%E8%80%8C%E8%A8%80%EF%BC%9A%E6%88%91%E4%BB%AC%E7%94%9F%E4%BA%A7%E5%9F%BA%E4%BA%8Ei.MX%208X%E7%9A%84%E8%AE%BE%E5%A4%87%E3%80%82%E6%88%91%E4%BB%AC%E7%9A%84%E5%AE%A2%E6%88%B7%E4%B8%BA%E8%AE%BE%E5%A4%87%E5%BC%80%E5%8F%91%E8%BD%AF%E4%BB%B6%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%EF%BC%8C%E7%84%B6%E5%90%8E%E5%B0%86%E5%B8%A6%E6%9C%89%E8%BD%AF%E4%BB%B6%E7%9A%84%E8%AE%BE%E5%A4%87%E5%87%BA%E5%94%AE%E7%BB%99%E5%AE%A2%E6%88%B7%E3%80%82%3C%2FP%3E%3CP%3E%E6%88%91%E4%BB%AC%E7%9A%84%E9%92%A5%E5%8C%99%E5%9C%A8%20AHAB%20SRK%E3%80%82%E4%BD%86%E6%98%AF%EF%BC%8C%E6%88%91%E4%BB%AC%E8%BF%98%E9%9C%80%E8%A6%81%E5%9C%A8%E6%9F%90%E4%B8%AA%E5%9C%B0%E6%96%B9%E4%B8%BA%E5%AE%A2%E6%88%B7%E6%8F%90%E4%BE%9B%E5%AF%86%E9%92%A5%EF%BC%8C%E4%BB%A5%E4%BE%BF%E4%BB%96%E4%BB%AC%E5%8F%AF%E4%BB%A5%E7%AD%BE%E7%BD%B2%E8%BD%AF%E4%BB%B6%E6%9B%B4%E6%96%B0...%3C%2FP%3E%3CP%3E%E6%88%91%E4%BB%AC%E4%B8%BA%E5%AE%A2%E6%88%B7%E6%8F%90%E4%BE%9B%20Yocto%20%E5%BC%80%E5%8F%91%E7%9A%84%20SDK%20%E5%92%8C%20Linux%20rootfs%E3%80%82%E6%88%91%E4%BB%AC%E7%9A%84%E5%AE%A2%E6%88%B7%E4%B8%8D%E4%BC%9A%E8%87%AA%E5%B7%B1%E6%89%A7%E8%A1%8C%20Yocto%20%E7%89%88%E6%9C%AC%E3%80%82%E4%BB%96%E4%BB%AC%E4%BD%BF%E7%94%A8%20SDK%20%E7%89%88%E6%9C%AC%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%E8%BD%AF%E4%BB%B6%E3%80%82%3C%2FP%3E%3CP%3E%E5%B0%B1%E5%AE%89%E5%85%A8%E5%90%AF%E5%8A%A8%E4%BB%A5%E5%8F%8A%E8%B0%81%E7%9A%84%E5%AF%86%E9%92%A5%E5%AD%98%E5%82%A8%E5%9C%A8%E5%93%AA%E9%87%8C%E8%80%8C%E8%A8%80%EF%BC%8C%E9%80%9A%E5%B8%B8%E5%A6%82%E4%BD%95%E5%A4%84%E7%90%86%E8%BF%99%E7%A7%8D%E6%83%85%E5%86%B5%E6%9C%89%E5%93%AA%E4%BA%9B%E5%85%88%E4%BE%8B%EF%BC%9F%E5%90%84%E6%96%B9%E7%9A%84%E6%9C%AF%E8%AF%AD%E6%98%AF%E4%BB%80%E4%B9%88%EF%BC%9F%3C%2FP%3E%3CP%3E%E8%B0%A2%E8%B0%A2%3CBR%20%2F%3EPeter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2145219%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3E%E5%AE%89%E5%85%A8%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148361%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX%208X%20secure%20boot%20-%20keys%20for%20two%20parties%20rather%20than%20one%20-%20Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148361%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E5%A6%82%E6%9E%9C%E6%82%A8%E8%BF%98%E6%B2%A1%E6%9C%89%E6%94%B6%E5%88%B0%EF%BC%8C%E8%AF%B7%E9%80%9A%E7%9F%A5%E6%88%91%E3%80%82%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%E6%AD%A4%E8%87%B4%3C%2FP%3E%0A%3CP%3E%E5%93%88%E7%BB%B4%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148259%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX%208X%20secure%20boot%20-%20keys%20for%20two%20parties%20rather%20than%20one%20-%20Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148259%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E5%97%A8%EF%BC%8C%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192970%22%20target%3D%22_blank%22%3E%40Harvey021%3C%2FA%3E%E3%80%82%E8%B0%A2%E8%B0%A2%E3%80%82%E8%AF%B7%E9%97%AE%E5%9C%A8%E5%93%AA%E9%87%8C%E5%8F%AF%E4%BB%A5%E6%89%BE%E5%88%B0%E5%86%85%E9%83%A8%E7%B3%BB%E7%BB%9F%E9%82%AE%E4%BB%B6%EF%BC%9F%E6%88%91%E6%9F%A5%E7%9C%8B%E4%BA%86%20%22%E7%A7%81%E4%BA%BA%E4%BF%A1%E6%81%AF%22%2F%22%E6%94%B6%E4%BB%B6%E7%AE%B1%22%EF%BC%8C%E4%BD%86%E9%87%8C%E9%9D%A2%E6%98%AF%E7%A9%BA%E7%9A%84%EF%BC%9F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2148085%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX%208X%20secure%20boot%20-%20keys%20for%20two%20parties%20rather%20than%20one%20-%20Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2148085%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E4%BD%A0%E5%A5%BD%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F206875%22%20target%3D%22_blank%22%3E%40petero5%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%E6%88%91%E5%B7%B2%E5%90%91%E6%82%A8%E5%8F%91%E9%80%81%E4%BA%86%E5%86%85%E9%83%A8%E7%B3%BB%E7%BB%9F%E9%82%AE%E4%BB%B6%E3%80%82%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%E6%AD%A4%E8%87%B4%3C%2FP%3E%0A%3CP%3E%E5%93%88%E7%BB%B4%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2146770%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX%208X%20secure%20boot%20-%20keys%20for%20two%20parties%20rather%20than%20one%20-%20Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2146770%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%E4%BD%A0%E5%A5%BD%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192970%22%20target%3D%22_blank%22%3E%40Harvey021%3C%2FA%3E%E8%B0%A2%E8%B0%A2%EF%BC%8C%E6%98%AF%E7%9A%84%EF%BC%8C%E6%88%91%E4%BB%AC%E4%BD%BF%E7%94%A8%E7%9A%84%E6%98%AF%E5%B8%A6%E6%9C%89%20HSM%20%E7%9A%84%20CST%E3%80%82%3C%2FP%3E%3CP%3E%E4%BD%86%E6%88%91%E4%BB%AC%E4%BB%8D%E5%9C%A8%E5%AF%BB%E6%89%BE%E6%9C%80%E4%BD%B3%E5%AE%9E%E8%B7%B5%EF%BC%8C%E5%8D%B3%E6%B6%89%E5%8F%8A%E4%B8%A4%E5%AE%B6%E5%85%AC%E5%8F%B8%E8%80%8C%E4%B8%8D%E6%98%AF%E4%B8%80%E5%AE%B6%E5%85%AC%E5%8F%B8%E7%9A%84%E4%BF%A1%E4%BB%BB%E9%93%BE%EF%BC%9A%3C%2FP%3E%3CP%3EA%20%E5%85%AC%E5%8F%B8%E5%88%B6%E9%80%A0%E8%AF%A5%E8%AE%BE%E5%A4%87%EF%BC%8C%E6%9E%84%E5%BB%BA%20Yocto%20SDK%20%E5%92%8C%20FIT%20%E6%98%A0%E5%83%8F%E3%80%81U-%E5%90%AF%E5%8A%A8%E3%80%81Linux%20%E5%86%85%E6%A0%B8%E5%92%8C%20rootfs%E3%80%82%3C%2FP%3E%3CP%3EB%20%E5%85%AC%E5%8F%B8%E6%94%B6%E5%88%B0%E4%B8%8A%E8%BF%B0%E5%86%85%E5%AE%B9%E5%B9%B6%E5%BC%80%E5%8F%91%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%EF%BC%88%E5%B9%B6%E5%88%9B%E5%BB%BA%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F%E5%88%86%E5%8C%BA%EF%BC%89%E3%80%82%3C%2FP%3E%3CP%3E%E5%A6%82%E6%9E%9C%20A%20%E5%86%99%E5%85%A5%20SRK%20%E5%B9%B6%E5%85%B3%E9%97%AD%E8%AE%BE%E5%A4%87%EF%BC%8C%E5%88%99%20B%20%E5%8F%AF%E4%BB%A5%E7%9B%B8%E4%BF%A1%E8%AE%BE%E5%A4%87%E5%92%8C%E5%9B%BE%E5%83%8F%E5%9C%A8%E5%8F%91%E5%BE%80%E5%AE%83%E4%BB%AC%E7%9A%84%E9%80%94%E4%B8%AD%E6%B2%A1%E6%9C%89%E8%A2%AB%E7%AF%A1%E6%94%B9%E3%80%82%3C%2FP%3E%3CP%3E%E4%BD%86%E6%98%AF%E5%90%A6%E9%9C%80%E8%A6%81%E4%B8%80%E7%A7%8D%E6%96%B9%E6%B3%95%E6%9D%A5%E4%B8%BA%E5%BA%94%E7%94%A8%E5%88%86%E5%8C%BA%E6%B3%A8%E5%86%8C%20B%20%E7%9A%84%E5%85%AC%E9%92%A5%EF%BC%8C%E6%88%96%E8%80%85%E5%B0%86%E5%85%B6%E7%BA%B3%E5%85%A5%E4%BF%A1%E4%BB%BB%E9%93%BE%EF%BC%9F%3C%2FP%3E%3CP%3E%E8%B0%A2%E8%B0%A2%3CBR%20%2F%3EPeter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2145906%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX%208X%20secure%20boot%20-%20keys%20for%20two%20parties%20rather%20than%20one%20-%20Yocto%20Linux%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2145906%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%26lt%3B7.3%E5%B0%86%20CST%20%E4%B8%8E%20CST%20%E7%94%A8%E6%88%B7%E6%8C%87%E5%8D%97%E7%9A%84%E7%A1%AC%E4%BB%B6%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E6%A8%A1%E5%9D%97%20%26gt%3B%20%E4%B8%80%E8%B5%B7%E4%BD%BF%E7%94%A8%E5%8F%AF%E4%BB%A5%E4%BD%9C%E4%B8%BA%E5%8F%82%E8%80%83%E3%80%82%3C%2FP%3E%0A%3CP%3E%E6%82%A8%E5%8F%AF%E4%BB%A5%E4%BB%8E%3CA%20href%3D%22https%3A%2F%2Fwww.nxp.com%2Fwebapp%2FDownload%3FcolCode%3DIMX_CST_TOOL_NEW%26amp%3BappType%3Dlicense%26amp%3Blocation%3Dnull%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EIMX_CST_TOOL%3C%2FA%3E%E4%B8%8B%E8%BD%BD%E6%8C%87%E5%8D%97%E3%80%82%20%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%E6%AD%A4%E8%87%B4%3C%2FP%3E%0A%3CP%3E%E5%93%88%E7%BB%B4%3C%2FP%3E%3C%2FLINGO-BODY%3E