secure boot i.MX, key management

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

secure boot i.MX, key management

860 Views
emptyfridge
Contributor III

Hi guys,

Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.

1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is

not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right? 

2.  which files do I need to protect for example with "git secret"? key management suggetion?

3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?

4. what about the validity date of the generated key/crts. Can this be checked from i.MX processor? if i set it to 10 years, will the device stop booting after this time?

 

Maybe an additional question, is there any yocto-integration planed on meta-freescale?

 

Thanks guys

0 Kudos
1 Reply

805 Views
Yuri
NXP Employee
NXP Employee

thomaslinder 

Hello,

  Please look at my comments below.

1.
  Yes, it is not possible to generate/add an other key, since
SRK fuse hash is generated for all 4 keys.

2.
   Private keys must be protected as much as possible.
   
3.
  No ability to "regenerate" keys from the key_pass.txt.
Private keys are used to sign images; corresponding public keys are applied
to check the images.

4.
  The  validity date is not checked by boot ROM (HAB).

5.

   Use U-boot documentation.

habv4\imx\doc - uboot-imx - i.MX U-Boot 

Regards,

Yuri.

0 Kudos