AnsweredAssumed Answered

what if i signed uboot with one key and kernel image with another key?

Question asked by Sathish ram Murugan on Jan 26, 2020
Latest reply on Feb 7, 2020 by Yuri Muhin

I used the CST tool to sign the u-boot image with csf1 and  img1 certificate.

csf text which i  given

------------------------------------------------------------------------------------------------

#Illustrative Command Sequence File Description

[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = blk_vals file_name

---------------------------------------------------------------------------

 

then I signed the kernel image with csf3 and img3 certificate.

-----------------------------------------------------------------------

#Illustrative Command Sequence File Description
[Header]
Version = 4.2
Hash Algorithm = sha256
Engine = ANY
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 2

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF3_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG3_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = blk_vals file_name

-----------------------------------------------------------------------

 

However, it fails to load the kernel and it works when I signed both images csf1/img1 or csf3/img3.

what should be take care on CSF text file? 

Outcomes