High Availability Boot processes and only using code-signing certificates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Availability Boot processes and only using code-signing certificates

796 Views
simonboland
Contributor I

(I asked the same question on the security stack exchange website.  I'm doing what is largely and cut and paste here with a few more things)

High Availability Boot (HAB) is a technique described here in an NxP application note. The procedure burns Super Root Key (SRK) fuses using a software tool called srktool. In it's proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 1.3.6.1.5.5.7.3.3.

However, there doesn't appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 1.3.6.1.5.5.7.3.2.

The problem is that if I have two certificates from the same CA:

  1. Code-signing certificate
  2. Client certificate

I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.

The only option is use different CAs for both code-signing and client certs. I'm wondering if there's some way to check the OIDs?

From this blog post it suggests that entire certificate is parsed.  Can I enforce the KeyUsage check in the INSTALL_KEY CSF Command?

Labels (4)
0 Kudos
2 Replies

646 Views
Yuri
NXP Employee
NXP Employee

Hello,

  Customers can use CST sources, provided with the recent CST 3.2.0,

in order to clarify CST using details.

 

https://www.nxp.com/webapp/Download?colCode=IMX_CST3.2.0_TOOL

Have a great day,

Yuri

 

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

0 Kudos

646 Views
simonboland
Contributor I

Hi Yuri, 

Does it mean that I can modify the CST tool to customise it to support a check of the OIDs?  

I was looking at this but wasn't sure where to make the necessary change.  If you can point me to the specific area or give me more details that would be great.

Regards,

Simon

0 Kudos