Dear NXP Community,
i want to test the secure Boot feature on i.MX6. I created 4 SRK-Keys with the CST and can sign the U-Boot. I burned the SRK-Hash table to the fuses and set the fuse sec_config to closed. I can signing the U-Boot image, download it and start it. Unsigned or wrong signed images dont start and i get HAB Events, so everything works fine.
I tried it only with the first SRK-Key. So my next test is signing the image with the second SRK-Key. I think i only have to change some commands in the CSF. So i changed the command "Install SRK" argument "source index" from 0 to 1 and changed the "file" argument of the Commands "Install CSFK" and "Install Key". Now i can sign the Image but if i authenticate the image i get HAB Events. So my question is can i sign the image with the second SRK-Key or must i revoke the first key and after that i can authenticate the image with the second key?
best regards
Patrick Jakob
 
					
				
		
 Yuri
		
			Yuri
		
		
		
		
		
		
		
		
	
			
		
		
			
					
		Hello,
double check SRK_1_2_3_4_table.bin's size; are all 4 SRK keys in the SRK table
Only the first SRK0 may present in SRK_1_2_3_4_table.bin file, because of spaces
between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.
One must pay attention to the instruction in srktool --help that mention
"Certificate filenames must be separated by a ','with no spaces"
Regards,
Yuri.
 
					
				
		
 Yuri
		
			Yuri
		
		
		
		
		
		
		
		
	
			
		
		
			
					
		Hello,
Basically any of SRK (with burned proper hash) may be used for signing.
The revocation is intended to disable using compromised SRK.
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
