Hi guys,
Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.
1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is
not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right?
2. which files do I need to protect for example with "git secret"? key management suggetion?
3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?
4. what about the validity date of the generated key/crts. Can this be checked from i.MX processor? if i set it to 10 years, will the device stop booting after this time?
Maybe an additional question, is there any yocto-integration planed on meta-freescale?
Thanks guys
Hello,
Please look at my comments below.
1.
Yes, it is not possible to generate/add an other key, since
SRK fuse hash is generated for all 4 keys.
2.
Private keys must be protected as much as possible.
3.
No ability to "regenerate" keys from the key_pass.txt.
Private keys are used to sign images; corresponding public keys are applied
to check the images.
4.
The validity date is not checked by boot ROM (HAB).
5.
Use U-boot documentation.
habv4\imx\doc - uboot-imx - i.MX U-Boot
Regards,
Yuri.