帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

secure Boot on i.MX6 - signing with several keys

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

secure Boot on i.MX6 - signing with several keys

‎08-17-2016 05:41 AM
2,321 次查看
patrickjakob
Contributor II

Dear NXP Community,

i want to test the secure Boot feature on i.MX6. I created 4 SRK-Keys with the CST and can sign the U-Boot. I burned the SRK-Hash table to the fuses and set the fuse sec_config to closed. I can signing the U-Boot image, download it and start it. Unsigned or wrong signed images dont start and i get HAB Events, so everything works fine.

I tried it only with the first SRK-Key. So my next test is signing the image with the second SRK-Key. I think i only have to change some commands in the CSF. So i changed the command "Install SRK" argument "source index" from 0 to 1 and changed the "file" argument of the Commands "Install CSFK" and "Install Key". Now i can sign the Image but if i authenticate the image i get HAB Events. So my question is can i sign the image with the second SRK-Key or must i revoke the first key and after that i can authenticate the image with the second key?

best regards

Patrick Jakob

标签 (4)
标签
0 项奖励
回复
2 回复数

‎04-14-2019 11:26 PM
1,957 次查看
Yuri
NXP Employee
NXP Employee

Hello,

   double check  SRK_1_2_3_4_table.bin's size;  are all 4 SRK keys in the SRK table

Only the first SRK0 may present in SRK_1_2_3_4_table.bin file, because of  spaces 

between SRK certificates keys files after "," in srktool cmd line to generate SRK_1_2_3_4_table.bin.

  One must pay attention to the instruction in srktool --help that mention

"Certificate filenames must be separated by a ','with no spaces"

Regards,

Yuri.

0 项奖励
回复

‎08-18-2016 07:15 PM
1,957 次查看
Yuri
NXP Employee
NXP Employee

Hello,

Basically any of SRK (with burned proper hash) may be used for signing.

The revocation is intended to disable using compromised SRK.

Have a great day,
Yuri

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

回复