AnsweredAssumed Answered

Security question related to OEM key, DRK, RPMB storage, CAAM, SECO

Question asked by Li Zhongyue on Apr 2, 2019
Latest reply on Apr 2, 2019 by Li Zhongyue

Dear NXP engineers,


I am working on security features on I.MX8QX B0 with android P9.0.

Right now, I met some questions related to security,

and FAE let me ask you guys in community,

Could you help to check following questions?


1. As we checked, OEM key will write in Fuse via SCU APIs, 

    May i know  the "OEM key" is only public key? or "OEM key" includes both public key and private key?


2. I would like to make every device have one different device root key(DRK), i suppose DRK should be a symmetric crypto key,  but i don't know where i can store this key, do you think we can store in RPMB?

However, i afraid, there would be a risk if we store the key plaintext into RPMB directly.

I heard the RPMB can be read in normal world?


3. one more thing, i think DRK should be signed by OEM private key, i don't know how to make it.


4.In CAAM and SECO, is there any API that can make signature for DRK with OEM private key?


I am so confused about above questions.

I would like to know the basic security policy on IMX8QX B0.

Looking forward to your detailed explanation.

Thanks a lot.