Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.
1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is
not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right?
2. which files do I need to protect for example with "git secret"? key management suggetion?
3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?
4. what about the validity date of the generated key/crts. Can this be checked from i.MX processor? if i set it to 10 years, will the device stop booting after this time?
Maybe an additional question, is there any yocto-integration planed on meta-freescale?