AnsweredAssumed Answered

secure boot i.MX, key management

Question asked by thomaslinder on May 26, 2020
Latest reply on May 27, 2020 by Yuri Muhin

Hi guys,

Try to introduce secure boot in our products. Before I turn it on in the whole world I would like to clear some points. maybe you can help me with that. would be great.

1. If I generated 4 SRKs and burned the hash from the hexdump command in the fuses of the i.MX, it is

not possible to generate/add an other key with add_key and use it to sign the uImage and u-boot, right? 

2.  which files do I need to protect for example with "git secret"? key management suggetion?

3. Is there any chance to "regenerate" a key from the key_pass.txt that I can use to sign images. let's say in case that all of the 4 SRK/IMG files I need to sign get lost. (for what reason ever). Am I able to still generate signed images that will be accepted by the burned hash on the i.MX?

4. what about the validity date of the generated key/crts. Can this be checked from i.MX processor? if i set it to 10 years, will the device stop booting after this time?

 

Maybe an additional question, is there any yocto-integration planed on meta-freescale?

 

Thanks guys

Outcomes