what if i signed uboot with one key and kernel image with another key?

cancel
Showing results for 
Search instead for 
Did you mean: 

what if i signed uboot with one key and kernel image with another key?

81 Views
Contributor I

I used the CST tool to sign the u-boot image with csf1 and  img1 certificate.

csf text which i  given

------------------------------------------------------------------------------------------------

#Illustrative Command Sequence File Description

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = blk_vals file_name

---------------------------------------------------------------------------

then I signed the kernel image with csf3 and img3 certificate.

-----------------------------------------------------------------------

#Illustrative Command Sequence File Description
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 2

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF3_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG3_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = blk_vals file_name

-----------------------------------------------------------------------

However, it fails to load the kernel and it works when I signed both images csf1/img1 or csf3/img3.

what should be take care on CSF text file? 

Tags (1)
0 Kudos
1 Reply

NXP TechSupport
NXP TechSupport

Hello,

   Below is Figure 2 (HABv4 PKI tree) of AN4581 Application Note, Rev. 2, 05/2018

pastedImage_1.png

SRK1 signs CSF1 / IMG1 pair, SRK3 signs CSF3/IMG3, but in the note: "The same SRK must be used

when extending the root of trust beyond the initial boot image."  


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos