FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

secure Boot on i.MX6 - signing with several keys

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

secure Boot on i.MX6 - signing with several keys

‎08-17-2016 05:41 AM
1,572 Views
patrickjakob
Contributor II

Dear NXP Community,

i want to test the secure Boot feature on i.MX6. I created 4 SRK-Keys with the CST and can sign the U-Boot. I burned the SRK-Hash table to the fuses and set the fuse sec_config to closed. I can signing the U-Boot image, download it and start it. Unsigned or wrong signed images dont start and i get HAB Events, so everything works fine.

I tried it only with the first SRK-Key. So my next test is signing the image with the second SRK-Key. I think i only have to change some commands in the CSF. So i changed the command "Install SRK" argument "source index" from 0 to 1 and changed the "file" argument of the Commands "Install CSFK" and "Install Key". Now i can sign the Image but if i authenticate the image i get HAB Events. So my question is can i sign the image with the second SRK-Key or must i revoke the first key and after that i can authenticate the image with the second key?

best regards

Patrick Jakob

Labels (4)
Labels
0 Kudos
Reply
2 Replies

‎04-14-2019 11:26 PM
1,208 Views
Yuri
NXP Employee
NXP Employee

Hello,

   double check  SRK_1_2_3_4_table.bin's size;  are all 4 SRK keys in the SRK table

Only the first SRK0 may present in SRK_1_2_3_4_table.bin file, because of  spaces 

between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.

  One must pay attention to the instruction in srktool --help that mention

"Certificate filenames must be separated by a ','with no spaces"

Regards,

Yuri.

0 Kudos
Reply

‎08-18-2016 07:15 PM
1,208 Views
Yuri
NXP Employee
NXP Employee

Hello,

Basically any of SRK (with burned proper hash) may be used for signing.

The revocation is intended to disable using compromised SRK.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Reply