AnsweredAssumed Answered

iMX6SoloX - fast authentication - uImage signing.

Question asked by ARKADIUSZ KARAS on Mar 28, 2017
Latest reply on Apr 2, 2017 by Victor Linnik

Hello all,

 

O have a question regarding secure boot on iMX6SoloX processor, in fast authentication mode.

I have manage to boot successfully signed u-boot image in fast authentication mode.

 

I have generated 4 SRK keys for HAB, as described in MX6UL HAB (High Assurance Boot) https://community.nxp.com/docs/DOC-275249.

 

For signing u-boot I use following file:

#Illustrative Command Sequence File Description
[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
# Key slot index 0 used to authenticate the image data
Verification index = 0
Blocks = 0x8bfff7d0 0x00000000 0x00058000 "u-boot-pad.imx"

 

Now, I want also to check signature for uImage, but I want to use different key for that.

I tried with following configuration first:

[Header]
Version = 4.1
Hash Algorithm = sha256
Engine = ANY
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install NOCAK]
File = "crts/SRK1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Unlock]
Engine = CAAM
Features = RNG

[Authenticate Data]
Verification index = 0
Blocks = 0x80810000 0x0 0x385020 "uImage.pad.ivt"

It works properly with "SRK1_sha256_2048_65537_v3_usr_crt.pem" key, but if I try to use different certificate (i.e. SRK2_sha256_2048_65537_v3_usr_crt.pem) I always got signature check failure.

So my question is - is it possible to sign uImage with different key than u-boot in case of fast authentication mode ?

 

Regards

Arek Karaś

Outcomes