AnsweredAssumed Answered

adding SRK key's hash to eFuse later

Question asked by Antonio Santagiuliana on Apr 23, 2020
Latest reply on Apr 23, 2020 by Yuri Muhin

Hello

I am using iMX8M Mini. 

I read on CST tool user's manual that you can add keys later, including SRK key.

I was wondering if it is possible to firstly program eFUSE with hash of only  one SRK key, let's call it SRK1 key, and use device in secure mode with this key only.

Then at later time add another SRK key and program the second eFUSE correspondent to this new SRK2 key and move to use it for new images.

Are there any limitations in eFuses writing process and hash that could forbid adding hash data specific to an individual key to eFuse individually and at different times ?

I mean CST will always generate SRK table.bin map , whose hash value is calculated to SRK_fuse.bin.

But this hash is an overall sha-256 value and so it is my understanding that information about individual keys is not carried forward into the hash value, so adding a new key means changing the whole SHA-256, is this correct ?

If that is the case it is not possible to add the part of the hash correspondent  to the new key to the fuses later.

Just to explain better, this is what we would look for :

Firstly I will add 1 SRK key  and generate Hash and write hash to fuse.

Then at later time I will add another SRK key generate new SRK table .bin map and new hash values. Can I update hash value relative to new key to eFuses without problems?

 

thank you

Outcomes