I am just digging through the documentation of the i.MX6 to find out what is technically possible concerning the use of multiple signature certificates. At the section Install Key Command in HAB API doc and CSF Language Description in CST doc I found
"The user is responsible for managing the key slots in the internal key stores to establish the desired public or secret key hierarchy and determine the keys used in authentication operations."
Though is it technically possible (independent if it's worth doing that) to implement a hierarchy of signature certificates where documentation just prints the IMG1 cert? This is how I understand the parameters verificationIndex and targetIndex, but I think documentation is too short to be sure.
The following quick draw shows what I understood and which extremes would be possible to implement using HAB4.
I would be pleased if you could tell me if I am correct or totally wrong.
CA1 = self-signed, CA2 and CA3 are subCA of any other CA.
arrows denote something like "issues". Leaves would be used for signatures.
minimal and fast auth cases seem to be clear.
However, what about the extrem cases of max. depth and max. count?
Do I understand the possible use of multiple Install Key commands correctly?