I am using script add_key.sh to add a new SRK key ( SRK3 ) to an already done PKIT tree containing 2 SRK keys ( SRK1 and SRK2 ).
I answer the questions as follow :
Which version of HAB/AHAB do you want to generate the key for (4 = HAB4 / a = AHAB)?: 4
Enter new key name (e.g. SRK5): SRK3
Enter new key type (ecc / rsa): rsa
Enter new key length in bits: 4096
Enter certificate duration (years): 10
Is this an SRK key?: yes
Enter SRK signing key name: ..path..CA1_sha256_4096_65537_v3_ca_key.pem
Enter SRK signing certificate name: ..path..CA1_sha256_4096_65537_v3_ca_crt.pem
Generating RSA private key, 4096 bit long modulus (2 primes)
SRK3 private/public key pair is generated.
Now I try generating theSRK table and the fuse map with the 3 SRK keys ( 2 SRK keys added when builing the PKI tree at the beginning and this SRK3 key just added ).
I get the error message :
[ERROR] SRKTOOL: All certificates must be either CA or user certs
Why does this happen ?
SRK1 and SRK2 were defined at the beginning with CA flag set to 'yes':
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 10
How many Super Root Keys should be generated? 2
Do you want the SRK certificates to have the CA flag set? (y/n)?: y
that means that IMG1,IMG2,CST1,CST2 keys were also generated.
I then tried to add also IMG3 and CST3 keys signed by the new SRK3 key, by using script add_key.sh , but I anyway got the same error then when I tried to generate the SRK table and fuse map with SRK1, SRK2, SRK3.
If I generate instead initially SRK tree with 2 keys, SRK1 and SRK2, with CA flag set to no, then I don't get any error if I build SRK table after I added SRK3 with script add_key.sh.
In summary, does it mean that if I want to add an SRK key later to a PKI tree with two SRK keys already generated I need to generate all the SRK keys with CA not set ?
And then does it mean that I cannot have IMG and CST keys ? Selecting Do you want the SRK certificates to have the CA flag set? (y/n)?: n
'n' here means we switch to use fast authentication so only SRK key is used, is that right ?
Can I use this fast authentication configuration on iMx8M Mini ? I read that it is supported only from HAB 4.1.2.
Or what other limitations are there if I want to add SRK keys later ?